b'      REDACTED FOR PUBLIC RELEASE\n\n\n\n\nSENTINEL AUDIT III: STATUS OF\n   THE FEDERAL BUREAU OF\n    INVESTIGATION\xe2\x80\x99S CASE\n     MANAGEMENT SYSTEM\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 07-40\n              August 2007\n\n\n\n\n      REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n\n  SENTINEL AUDIT III: STATUS OF THE FEDERAL BUREAU OF\n      INVESTIGATION\xe2\x80\x99S CASE MANAGEMENT SYSTEM*\n\n                         EXECUTIVE SUMMARY\n\n      In March 2006, the Federal Bureau of Investigation (FBI)\nannounced that it had awarded a contract to Lockheed Martin Services,\nIncorporated (Lockheed Martin) to develop the Sentinel information\nand case management system. The cost of the four phases of the\nLockheed contract was $305 million, and the FBI estimated that it\nwould cost an additional $120 million to staff and administer the FBI\xe2\x80\x99s\nSentinel Program Management Office (PMO), with the total estimated\ncost of Sentinel at $425 million. The initial schedule for the Lockheed\nMartin contract called for all phases to be completed in December\n2009.\n\n      On June 19, 2007, the FBI announced that it had fully deployed\nPhase 1 of Sentinel to provide FBI employees with user-friendly,\nweb-based access to information currently in the FBI\xe2\x80\x99s antiquated\nAutomated Case Support (ACS) system and improved search\ncapabilities. 1 Phase 1 of Sentinel features a personal workbox, which\nsummarizes a user\xe2\x80\x99s cases and leads, and a squad workbox, which\nallows supervisors to better manage resources and make\nassignments. 2\n\n      The Sentinel project integrates commercial off-the-shelf (COTS)\ncomponents and eventually is intended to provide the FBI with an\nelectronic information management system, automated workflow\nprocesses, search capabilities, and information sharing with other law\nenforcement agencies and the intelligence community. The FBI\nDirector has stated that, \xe2\x80\x9cSentinel will strengthen the FBI\xe2\x80\x99s capabilities\nby replacing its primarily paper-based reporting system with an\nelectronic system designed for information sharing. Sentinel will\n\n       * The full version of this report included information that the FBI considered\nto be sensitive proprietary information. To create this public version of the report,\nthe OIG redacted (deleted) the sensitive portions and noted that the information was\nredacted.\n       1\n         ACS is the FBI\xe2\x80\x99s current case management system. Deployed in 1995, ACS\nis a mainframe computer system.\n       2\n          A lead is a request from any FBI field office or headquarters for assistance\nin the investigation of a case.\n\n                                          -i-\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nsupport our current priorities, including our number one priority:\npreventing terrorist attacks.\xe2\x80\x9d 3\n\nAudit Approach\n      The Office of the Inspector General (OIG) is performing audits of\nthe Sentinel project at the request of the FBI Director and\ncongressional appropriations and oversight committees. This audit is\nthe third in a series of audits on Sentinel that the OIG intends to\nconduct to evaluate Sentinel\xe2\x80\x99s progress and implementation. The\nobjectives of this third audit were to evaluate: (1) the status of the\nproject, including the FBI\xe2\x80\x99s monitoring of the contractor\xe2\x80\x99s performance\nduring Phase 1, (2) the planning for and progress of Phase 2, and\n(3) the resolution of concerns identified in our two previous Sentinel\naudits. 4 Future OIG audits will continue to examine the progress of\nSentinel over its remaining phases and assess whether Sentinel\xe2\x80\x99s cost,\nschedule, performance, and technical benchmarks are being met. 5\n\nOIG Audit Results in Brief\n\n       Phase 1 of Sentinel, which was completed on June 19, 2007,\ndelivered two key project components: a web-based portal to ACS\nand workboxes that summarize case information. The user\nfriendliness of the portal and workboxes should enhance access to\ninformation and case management within the FBI. The FBI deferred\none deliverable initially planned for Phase 1 because it would be more\ntechnically feasible to accomplish it in Phase 2, and the FBI did not\nclearly articulate which components of another deliverable would be\naccomplished in Phase 1 and which components would be\naccomplished in later project phases. While we cannot yet assess the\n\n       3\n        FBI Press Release entitled FBI Announces Award of Sentinel Contract,\nMarch 16, 2006.\n       4\n         See Department of Justice Office of the Inspector General, The Federal\nBureau of Investigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls Over the Sentinel\nCase Management System, Audit Report Number 06-14, March 2006; and\nDepartment of Justice, Office of the Inspector General, Sentinel Audit II: Status of\nthe Federal Bureau of Investigation\xe2\x80\x99s Case Management System, Audit Report\nNumber 07-03, December 2006.\n       5\n          Although we originally intended to cover the early stages of Phase 2 of\nSentinel in this report, Phase 2 had not yet begun when our audit fieldwork was\ncompleted in May 2007. However, we evaluated the impact the FBI\xe2\x80\x99s experience\nwith Phase 1 had on how the FBI plans to approach Phase 2. We will evaluate\nprogress under Phase 2 of the project in our next audit.\n\n                                        - ii -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nfull impact of completing an original Phase 1 deliverable in a\nsubsequent project phase, some future cost and schedule pressures\nmay result. In addition, we question why cost adjustments did not\noccur in Phase 1 due to reduced requirements.\n\n      In addition, Phase 1 was completed in about 14 months instead\nof the planned 12 months. Our audit found the following four primary\ncauses for this short delay: (1) an unrealistic schedule, (2) delays by\nLockheed Martin in fully staffing the project with appropriately\nexperienced personnel, (3) challenges in integrating the various COTS\nsoftware components to work as a system, and (4) problems in\nassessing the project\xe2\x80\x99s progress against the approved schedule.\n\n       Our audit found that one of the four deliverables initially planned\nfor completion in Phase 1 was deferred to Phase 2: cleansing the data\nin the electronic case file module of ACS so that the data is in a\nuniform format for eventual transfer (migration) to Sentinel. As the\nSentinel project progressed, the FBI determined that the data\ncleansing planned for Phase 1 posed significant risks to the integrity of\nthe data and should be moved to Phase 2. In addition, the FBI did not\nadequately define one of the four Phase 1 deliverables, the\nfoundational components of a service-oriented architecture. 6 Because\nthe FBI\xe2\x80\x99s expectations for implementing a service-oriented architecture\nin Phase 1 were vague, we could not assess whether Phase 1 achieved\nits objectives in this area. FBI officials said that Phase 1 delivered an\nenterprise service bus, which they said was the only foundational\ncomponent of a service-oriented architecture that was appropriate for\nthis initial phase of the project. 7\n\n      Our audit also found that the costs for the Sentinel project have\nincreased a small amount from the initial estimates for Phase 1. As a\nresult of a series of contract modifications, some of which pre-\npurchased software for Phase 2, the budget for the Phase 1, including\naward fees, increased from $57.2 to $59.7 million. However, the\noverall contract value of $305 million did not change. Lockheed Martin\nalso estimates that its costs exceeded the revised contract amount by\napproximately $4.4 million due to requirements the FBI added but did\n\n       6\n          A service-oriented architecture is a software design approach in which\nsoftware components, called services, can be re-used by multiple software\napplications.\n       7\n       An enterprise service bus is software \xe2\x80\x9cmiddleware\xe2\x80\x9d that connects software\ncomponents and allows the components to communicate with each other.\n\n                                        - iii -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nnot include in contract modifications. However, both parties agreed\nthat Lockheed Martin would be paid the $59.7 million amount in the\nrevised budget, which includes the $2 million budgeted for award\nfees. 8 Over the course of Phase 1, the FBI deferred a total of 57\nmostly low-level requirements from Phase 1 to later phases because\nthey were outside of the scope of Phase 1, did not add value to Phase\n1, or required the modification of ACS. Despite the somewhat\ndecreased functionality Lockheed Martin was required to deliver in\nPhase 1, none of these deferrals resulted in a decrease in the cost of\nPhase 1.\n\n      At the time of our audit, the FBI\xe2\x80\x99s activities for Phase 2 of the\nSentinel project were limited to planning for that phase. However, we\nbelieve the FBI gained valuable experience during Phase 1, and the\nlessons learned can improve the implementation of Sentinel\xe2\x80\x99s\nremaining phases. Based primarily on the FBI\xe2\x80\x99s experience in dealing\nwith the legacy ACS system during Phase 1 of the project, the FBI has\nbegun to reexamine whether dividing development and\nimplementation of Sentinel into four phases was still the most effective\nway to manage the work on the project. When our audit concluded in\nMay 2007, the FBI had not yet decided on the number of remaining\nphases or the content of them.\n\n      Since the project began, the FBI has implemented several\nmanagement controls and processes designed to help it adequately\nmanage the development of Sentinel and bring it to a successful\nconclusion. We reviewed four of these controls and processes in-\ndepth: (1) earned value management, (2) independent verification\nand validation, (3) risk management, and (4) bill of materials. We\nfound that the FBI has made significant progress in each of the four,\nbut that additional progress needs to be made in the implementation\nof earned value management, risk management, and the bill of\nmaterials. In our opinion, if implemented correctly these processes\nand controls can provide reasonable assurance of project success.\n\n       However, while the FBI has implemented earned value\nmanagement to monitor Sentinel, the quality of Lockheed Martin\xe2\x80\x99s cost\ndata concerns us and the FBI. For example, when Lockheed Martin\nnotified the FBI that its costs exceeded the revised budget by $4.4\n\n       8\n          Lockheed Martin did not receive an award fee. Instead, the FBI allowed\nLockheed Martin to transfer the $2 million budgeted for the award fee to the cost\nportion of the budget to cover the cost overruns.\n\n                                        - iv -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nmillion, Lockheed Martin\xe2\x80\x99s earned value management data continued\nto show that Lockheed Martin was within budget on the project.\n\n       The FBI also has created a list of 16 risks it is monitoring that\nare associated with the Sentinel project. While the FBI\xe2\x80\x99s establishment\nof a risk management program is a positive step, we have several\nconcerns with the program\xe2\x80\x99s implementation, including irregular\nreview of the risks, a lack of contingency plans, and incomplete plans\nto mitigate identified risks. We are also concerned that the personnel\nassigned to manage these risks may not have sufficient time or\nexpertise to adequately develop and implement a strategy to reduce\nthe risks Sentinel faces.\n\n      Our audit also determined that the FBI has made good progress\nin addressing most of the concerns we identified in our two previous\naudits of the Sentinel project. Five of the 12 recommendations made\nin our prior reports have been closed, and the FBI is in the process of\ntaking action to close the remaining recommendations. For example,\nin addressing one of our key recommendations, the FBI developed a\nplan and hired a contractor to perform independent verification and\nvalidation of the project\xe2\x80\x99s development. To close the remaining\nrecommendations, the FBI must complete system security and training\nplans, fully staff the PMO, determine the appropriate amount of\nmanagement reserve for the phases of Sentinel, and develop adequate\ncontingency plans for Sentinel. We will continue to monitor the FBI\xe2\x80\x99s\nprogress in implementing the remaining open recommendations.\n\n      In sum, the first phase of the Sentinel project is complete,\nalthough with some difficulty and without providing all of the\ndeliverables originally intended for this phase of the project.\nMoreover, the most difficult portions of the project lay ahead. As\nSentinel progresses, the FBI must ensure the deliverables for each\nphase are clearly documented and communicated to FBI management\nand oversight entities. We believe that the lessons learned during\nPhase 1, combined with the processes the FBI has established to\nmanage and control the Sentinel project, can help provide reasonable\nassurance of Sentinel\xe2\x80\x99s ultimate success. However, rigorous\nimplementation of processes and lessons learned is necessary to\nminimize any significant deviations from cost, schedule, technical, or\nperformance baselines.\n\n\n\n\n                                  -v-\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nBackground\n\n       The Sentinel project follows the FBI\xe2\x80\x99s unsuccessful 3-year, $170\nmillion effort to develop a modern investigative case management\nsystem called the Virtual Case File as part of the FBI\xe2\x80\x99s Trilogy\ninformation technology (IT) modernization project. The Virtual Case\nFile originally was intended to provide the FBI with a modern system\nso that the existing obsolete ACS system could be retired. During\nmultiple OIG reviews over the past several years, we reported that\nACS uses outmoded technology, is cumbersome to operate, and does\nnot provide necessary workflow and information-sharing functions.\n\n      The Sentinel contract, awarded in March 2006 to Lockheed\nMartin through a government-wide acquisition contract, is a cost-plus-\naward-fee contract that uses task orders to complete work for each\nphase of the project. 9 The cost of the original task order for Phase 1\nof Sentinel was $57 million. According to the contract, the FBI may\nexercise options for $248 million to cover three additional phases of\nthe project and future operations and maintenance costs. Under the\nterms of the contract, Lockheed Martin can also be rewarded for\nmeeting established goals in four areas: project management, cost\nmanagement, schedule, and technical performance. This type of\ncontract and award fee structure is common for large government IT\nprojects.\n\n       While this type of contract proved problematic under Trilogy, our\ntwo prior Sentinel audits found that the FBI has made considerable\nprogress in establishing controls and processes required to adequately\nmanage a major IT development project such as Sentinel and to bring\nit to a successful conclusion \xe2\x80\x93 if the processes are followed and\ncontrols are implemented as intended. As we reported in each of our\ntwo previous Sentinel audits, we believe the FBI is establishing clear\nmilestones and requiring critical decision review points in managing\nthis contract. For instance, if the contractor does not meet its\nmilestones, it is penalized by loss of the award fee.\n\n      The FBI\xe2\x80\x99s initial plan called for implementing Sentinel\xe2\x80\x99s 4 phases\nover 45 months, with each phase providing distinct capabilities until\nthe project is fully functional in December 2009. Originally, the FBI\n\n       9\n         An award fee is a financial incentive provided to a contractor based on the\ncontractor\xe2\x80\x99s performance. A task order specifies the services required and the\nnegotiated terms at which they will be provided, subject to the terms of the contract.\n\n                                        - vi -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nexpected to complete each of the phases in 12 to 16 months. As\ndiscussed later in this report, however, the FBI is now considering a\nmodification of the four-phase approach based on its experience with\nthe first phase.\n\n     According to the FBI, the four phases will provide the following\ncapabilities:\n\n     \xe2\x80\xa2   Phase 1 introduces the Sentinel portal to provide access to\n         data from the existing ACS system and eventually, through\n         incremental changes in subsequent project phases, will\n         support access to the newly created investigative case\n         management system. Phase 1 also provides a case\n         management personal workbox that presents a summary of\n         all cases in which the user is involved, rather than requiring\n         the user to perform a series of queries to find the cases as is\n         necessary in the ACS system. In addition, a squad workbox\n         will facilitate management of cases. The Findings and\n         Recommendations section of this report contains a more\n         comprehensive discussion of the Phase 1 deliverables.\n\n     \xe2\x80\xa2   Phase 2 will begin the transition to a paperless case records\n         system by providing electronic case document management\n         and a records repository. A workflow tool will support the\n         movement of electronic case files through the review and\n         approval process, while a security framework will provide\n         access controls and electronic signatures.\n\n     \xe2\x80\xa2   Phase 3 will provide a new Universal Index, which is a\n         database of people, places, or things that relate to a case.\n         Expanding the number of attributes in the system will enable\n         more precise searching and will enhance FBI employees\xe2\x80\x99\n         ability to \xe2\x80\x9cconnect the dots\xe2\x80\x9d among various pieces of\n         information and cases.\n\n     \xe2\x80\xa2   Phase 4 will implement Sentinel\xe2\x80\x99s new case management and\n         reporting capabilities, including the management of tasks and\n         evidence. During this phase, Sentinel will be connected to\n         ACS, data on closed cases will be migrated from ACS to\n         Sentinel, and the process to retire ACS will begin.\n\n\n\n\n                                  - vii -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n\nPhase 1 Schedule, Cost and Performance\n\n       When Lockheed Martin delivered Phase 1 of Sentinel on June 19,\n2007, 2 months behind the proposed schedule, the revised contract\namount had increased from $57.2 million to $59.7 million due to an\noverall increase in the scope of work, including pre-purchasing\nsoftware for Phase 2. However, Lockheed Martin\xe2\x80\x99s costs exceeded the\nrevised contract amount \xe2\x80\x93 including $2 million budgeted for award\nfees \xe2\x80\x93 by approximately $4.4 million. Lockheed Martin and the FBI\nagreed that Lockheed Martin would only be paid $59.7 million, the\namount of the revised budget, rather than being paid the entire $4.4\nmillion overage. FBI officials stated that the net project cost remained\nthe same due to offsetting adjustments to the Phase 1 and Phase 2\nbudgets, and there was no change in the overall contract value.\n\n       At the conclusion of Phase 1, Lockheed Martin delivered two key\ndeliverables: a web-based portal to ACS and case management\nworkboxes. The FBI deferred to Phase 2 another deliverable, the\ncleansing of data in ACS\xe2\x80\x99s electronic case file module for migration into\nSentinel. As a result of deferring this deliverable to Phase 2, Sentinel\xe2\x80\x99s\ntotal costs may be higher than currently projected. The FBI\xe2\x80\x99s\nexpectations for implementing a service-oriented architecture in Phase\n1 were vague, so we could not fully assess whether Phase 1 achieved\nits objectives in this area. However, the FBI\xe2\x80\x99s explanation that the\nenterprise service bus was the only appropriate component of a\nservice-oriented architecture for Phase 1 appears reasonable, and that\ncomponent was delivered.\n\nSchedule Delay\n\n      Our audit found the following four primary causes for the\n2-month delay in the delivery of Phase 1: (1) an unrealistic schedule,\n(2) delays by Lockheed Martin in fully staffing the project with\nappropriately experienced personnel, (3) challenges in integrating the\nvarious COTS software components to work as a system, and\n(4) problems in assessing the project\xe2\x80\x99s progress against the approved\nschedule. 10\n\n\n\n       10\n           Although we view the schedule as unrealistic, FBI officials in commenting\non a draft of this report stated that they would describe the schedule as aggressive,\nrather than unrealistic, because had Lockheed Martin been able to provide adequate\nstaffing from the beginning, the 12-month schedule might have been met.\n                                          - viii -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n\n\n       Unrealistic Schedule\n\n       According to FBI officials, Lockheed Martin based its Phase 1\nproject schedule on the FBI\xe2\x80\x99s proposed notional, or hypothetical,\nschedule created prior to formally soliciting proposals for development\nof Sentinel. That schedule divided the project into four phases,\nidentified deliverables for each phase, and provided an estimated\ntimeline for completion of each phase. While information the FBI\nprovided potential vendors advised that they were free to propose a\ndifferent number of phases or change the deliverables of each phase,\nvendors still had to meet the FBI\xe2\x80\x99s target completion date of 2009. In\naddition to broad outlines of the project\xe2\x80\x99s overall schedule, the FBI\nalso dictated certain project milestones in the Sentinel Statement of\nWork. The Sentinel Program Manager told us that, in retrospect, the\ntimeframes outlined in the Statement of Work were overly aggressive\nbecause they did not allow Lockheed Martin adequate time to staff the\nproject.\n\n       Delays in Staffing\n\n       Almost immediately following the contract award, Lockheed\nMartin fell behind in its projected staffing levels. The FBI attributed\nthis to the difficulty in hiring qualified personnel with top secret\nclearances and personnel costs 25 to 40 percent higher than Lockheed\nMartin projections. A 6-month suspension in processing security\nclearances for government contractors shortly after the Sentinel\ncontract was awarded also depleted the supply of cleared contractor\npersonnel and increased the cost of hiring those who were available. 11\n\n      In addition, Lockheed Martin and the FBI also underestimated\nthe level of expertise in integrating COTS software that personnel\nwould need for the Sentinel project. In a January 2007 briefing to the\nFBI\xe2\x80\x99s Associate Deputy Director, the Sentinel Program Manager said\nthat both the FBI and Lockheed Martin based their original personnel\ncost estimates on the assumption that most of the work could be\ncompleted by recent college graduates, an approach Lockheed Martin\nhad successfully used on a large scale information technology project\n\n       11\n           According to the FBI, shortly after the Sentinel contract was awarded the\nDefense Security Service, the organization responsible for performing background\ninvestigations and granting clearances, suspended its processing of clearances for all\ngovernment contractors for 6 months due to significant backlogs.\n                                          - ix -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\nat the Social Security Administration. However, several PMO and FBI\nChief Information Office personnel said that throughout Phase 1 of\nSentinel, the level of expertise required of the Lockheed Martin staff to\ndeal with Sentinel\xe2\x80\x99s COTS software was not sufficient for the project,\nalthough they said that Lockheed Martin eventually added the required\nexpertise. FBI officials said the quality of the Lockheed Martin staff\nhad improved during the first phase, but that additional improvements\nneed to be made if the subsequent phases of the project are going to\nbe successful. Other FBI officials said, however, that Lockheed Martin\nshould have considered contracting with the software manufacturers\nwho developed the most challenging pieces of software to help with\nimplementation.\n\n      Challenges of Integrating the Software\n\n      Several PMO officials, including the Sentinel Program Manager\nand Lockheed Martin\xe2\x80\x99s Deputy Project Manager, stated that integrating\nthe various commercial off-the-shelf software modules that comprise\nPhase 1 of Sentinel into a system that functions as intended was a\nmajor challenge. For example, analyzing why a particular software\nproblem occurred within such an integrated system was difficult due to\nthe number of variables in complex systems such as Sentinel. The\nCOTS software used in Sentinel is so complex that the Lockheed Martin\nProject Manger said that it is virtually impossible to complete a COTS-\nbased system without hands-on experience with its component\nsoftware packages. Another factor that compounded the general\nchallenge of COTS integration was that Sentinel is based on cutting-\nedge software, some of which had bugs. In at least one case, the\nsoftware manufacturer was not aware of a problem until notified by\nthe FBI and Lockheed Martin. Because this was a new bug, the\nmanufacturer had to research its cause and develop a solution before\nLockheed Martin could implement the software patch.\n\n      Problems in Assessing Progress\n\n      PMO personnel said that the methodology used by Lockheed\nMartin to construct the Sentinel project\xe2\x80\x99s schedule made it difficult to\nassess the project\xe2\x80\x99s progress. Specifically, they cited the following\nconcerns about the schedule:\n\n      \xe2\x80\xa2   Overuse of \xe2\x80\x9chard constraints.\xe2\x80\x9d Hard constraints are specific\n          dates entered into a schedule that require a task to begin or\n          end on that date, regardless of any other activity within the\n          schedule. Hard constraints cloud an assessment of the\n                                   -x-\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n          impact of schedule slippages because the scheduling software\n          will assume that the task met the constraint, regardless of\n          whether or not it did. Lockheed Martin\xe2\x80\x99s project schedule\n          contained many hard constraints, which made assessing\n          progress difficult.\n\n      \xe2\x80\xa2   Logic problems. PMO officials said Lockheed Martin\xe2\x80\x99s\n          schedule did not always accurately reflect the\n          interdependence between tasks, often linking some that were\n          not interdependent and not linking others that were\n          interdependent.\n\n      \xe2\x80\xa2   High percentage of \xe2\x80\x9clevel-of-effort\xe2\x80\x9d tasks. Some of the tasks\n          in the development of an IT system are referred to as \xe2\x80\x9clevel\n          of effort,\xe2\x80\x9d meaning that progress toward completion of a task\n          is measured by the passage of time rather than progress\n          toward completing the task. Tasks that do not have a defined\n          deliverable, such as project management, are often measured\n          using level of effort. However, because level-of-effort tasks\n          are not tied to discrete deliverables, it is difficult to determine\n          how much their completion contributes to the overall progress\n          of a project. As a result, it is prudent to have a schedule with\n          as few level-of-effort tasks as possible. Lockheed Martin\xe2\x80\x99s\n          project schedule contained a significant number of level-of-\n          effort tasks.\n\nCost and Deliverables\n\n      The contract awarded to Lockheed Martin to develop Sentinel\nrepresents about 72 percent of the total cost of the entire Sentinel\nproject, so Lockheed Martin\xe2\x80\x99s ability to deliver its portion of Sentinel\nwithin budget is critical to the cost performance of the overall Sentinel\nproject. As the result of a series of contract modifications, the value of\nLockheed Martin\xe2\x80\x99s task order for Phase 1 increased from $57.2 million\nat the time of the integrated baseline review (IBR) in May 2006 to\n$59.7 million in March 2007. However, in June 2007 Lockheed Martin\nadvised the FBI that it had incurred costs totaling $64.1 million in the\nperformance of Phase 1. Lockheed Martin attributed the cost overruns\nto unanticipated work in interfacing with existing FBI computer\nsystems and modifications to the FBI\xe2\x80\x99s testing approach.\n\n      However we found that three factors obscured a precise\naccounting of Lockheed Martin\xe2\x80\x99s cost performance. First, even though\nthe FBI transferred some Phase 1 requirements to later phases of the\n                                    - xi -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nproject, it received minimal cost reductions on Phase 1 from Lockheed\nMartin for deferring completion of these requirements. Second, the\nFBI did not adequately define the foundations of a service-oriented\narchitecture expected to be delivered in Phase 1 and did not tie all of\nthe deliverables to the requirements agreed upon for Phase 1, making\nit difficult to evaluate what the Phase 1 budget was supposed to pay\nfor. Third, the FBI transferred $2.5 million in materials and services\nfrom Lockheed Martin\xe2\x80\x99s budget to the PMO\xe2\x80\x99s budget and increased the\namount of equipment the FBI furnished for the project. As a result,\nthe amount paid to Lockheed Martin understates the cost of the work\nLockheed Martin was originally tasked with.\n\n       Requirements Deferred\n\n       Over the course of Phase 1, the FBI deferred a total of 57 mostly\nlow-level requirements from Phase 1 to later phases. 12 Despite\ndecreasing the amount of functionality Lockheed Martin was required\nto deliver in Phase 1, none of these deferrals resulted in a decrease in\nthe cost of Phase 1. According to the FBI, it deferred most of the\n57 requirements because it decided the requirement was outside of\nthe scope of Phase 1, did not add value to Phase 1, would require the\nmodification of ACS, or would duplicate a capability included in a\nfuture phase of Sentinel. FBI officials said they did not believe it was\nprudent to invest in upgrading ACS because Sentinel is intended to\nreplace it.\n\n      We recognize that phased projects using COTS components\noften transfer requirements from one phase to another and, in\ngeneral, we do not disagree with the FBI\xe2\x80\x99s transfer of these\n57 requirements. However, as noted previously, we are concerned\nthat the FBI did not require that Lockheed Martin determine the\nfinancial impact of not doing this work in Phase 1 and adjust the cost\nof Phase 1 accordingly.\n\n       Phase 1 of Sentinel has delivered a web-based user interface to\nACS data, giving a much more modern look and feel to ACS data and\nallowing users to navigate through the database using a mouse. For\nexample, users can view and download ACS documents. However,\nthis version of the web-based portal does not allow users to perform\nall of the functions included in ACS, meaning that FBI personnel may\n\n       12\n          For example, the requirement that Sentinel be able to perform\nunstructured searches against items collected during investigations was deferred\nfrom Phase 1 to Phase 2.\n                                        - xii -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\nalso need to continue using the old system as well. Because many of\nthe functions now performed by ACS will not be incorporated into\nSentinel until Phase 2, the Phase 1 web portal to ACS will be used only\nuntil the completion of Phase 2.\n\n       As a result, the FBI decided that duplicating all of ACS was not\ncost effective and chose instead to include only the most frequently\nused functions in the Phase 1 portal. FBI officials said they recognize\nin retrospect that they overlooked some critical functions in the Phase\n1 portal, such as the ability to upload documents into ACS, and that\nPhase 1 should have incorporated those functions.\n\n      Deliverables Ill-Defined\n\n       Throughout the Sentinel project, FBI documents, including slides\nfrom weekly briefings of the FBI Director, have shown four major\nanticipated deliverables for Phase 1: (1) a web-based portal to ACS,\n(2) a case workbox, (3) the foundational components of a service-\norientated architecture, and (4) data cleansing of the electronic case\nfile portion of ACS. As implemented, Phase 1 delivered the most\nimportant deliverables, the ACS portal and case workbox. Because the\nfoundational components of a service-oriented architecture were ill-\ndefined, we could not evaluate the extent to which this deliverable was\nachieved. However, FBI officials stated that the only component\napplicable to Phase 1 was the enterprise service bus, which was\ndelivered. They said that the fourth planned deliverable, the data\ncleansing of the electronic case file portion of ACS, was deferred\nbecause it was more technically feasible to do so. 13 As Sentinel\nprogressed through the life cycle management process, the FBI\xe2\x80\x99s\ninternal technical reports have noted this divergence from the original\nset of deliverables.\n\n      Neither the foundational components of a service-oriented\narchitecture nor the data cleansing of electronic case file data were\nspecified in the requirements for Phase 1, so the deferral of these\ngoals did not require the deferral of requirements. However, achieving\nboth of these goals may potentially require additional financial and\npersonnel resources. And as mentioned previously, deferral of these\ngoals did not result in a corresponding decrease in the Phase 1\ncontract amount.\n\n      13\n          See page 34 for a discussion of the common components of a service-\noriented architecture.\n\n                                      - xiii -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n\n       The FBI\xe2\x80\x99s Incremental Development Plan, which was provided to\nall potential Sentinel bidders as a framework from which to describe\nthe intent of the Sentinel program, refers to a service-oriented\narchitecture framework and foundational services but does not define\nthese terms. The FBI said that as a result, it had no expectation that\nLockheed Martin would specifically address the commonly recognized\nbasic components of a service-oriented architecture in Phase 1.\n\n       The Incremental Development Plan does not include any data\ncleansing or data migration capabilities for Phase 1. Rather, the plan\nstates \xe2\x80\x9cThere are no specific requirements for migration of case data in\nPhase 1.\xe2\x80\x9d However, Lockheed Martin\xe2\x80\x99s proposal included data\ncleansing of electronic case file data as part of Phase 1 in preparation\nfor the data\xe2\x80\x99s transfer, or migration, to the Sentinel database in Phase\n2. The FBI subsequently agreed to Lockheed Martin\xe2\x80\x99s data cleansing\napproach and the proposed scope of the data cleansing efforts was\nbuilt into the project\xe2\x80\x99s integrated master schedule. However, as stated\nabove, after further consideration the FBI deferred data cleansing until\nPhase 2 because it had technical concerns with cleansing data in\nadvance of migrating it.\n\n      While deferring the data cleansing to Phase 2 did not affect the\nfunctionality of Phase 1, it pushed time-consuming activities into Phase\n2 and the FBI did not adjust the Phase 2 end date. In addition, similar\nto the deferral of requirements, the deferral of the data cleansing did\nnot result in a decrease in the amount of the Phase 1 contract.\n\n      Costs Transferred\n\n      Through a series of six contract modifications during Phase 1,\nthe FBI increased the total contract value of Phase 1 by $2.5 million,\nfrom $57.2 million to $59.7 million. As expected in a project of\nSentinel\xe2\x80\x99s size and complexity, some of the modifications increased the\nscope of Phase 1, while others decreased it. However, the decreases\neither transferred the cost for the tasks to the PMO budget or to the\namount budgeted for Lockheed Martin\xe2\x80\x99s award fee. For example, in\nMarch 2007 the FBI issued a modification which deleted $2.1 million\nfor tape silos from the Phase 1 contract. 14 Although the tape silos\nwere still necessary for Phase 1, the FBI purchased silos with more\n\n      14\n         A tape silo is computer hardware that uses tapes to store large amounts of\ncomputer data.\n\n                                      - xiv -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nstorage capacity using funds from the PMO\xe2\x80\x99s budget and used the\nfunds in the Lockheed Martin contract originally allocated to tape silos\nto offset the cost of additions to the scope of Phase 1. FBI officials\nstated that the various cost adjustments did not affect the overall\ncontract value of $305 million.\n\nPhase 2 Planning and Project Management\n\n        The FBI has implemented several management controls and\nprocesses in addition to its life cycle management directive that are\ndesigned to help it adequately manage the development of Sentinel\nand bring it to a successful conclusion. In this audit, we reviewed four\nof these controls and processes in depth: earned value management\n(EVM), risk management, independent verification and validation, and\nbill of materials. We concluded that the FBI has made significant\nprogress in each of the four areas, but that substantial additional\nprogress is needed in risk management and the bill of materials.\n\n       In addition to these four areas, the FBI recognizes that the\nlessons learned during Phase 1 will aid the FBI in its planning of\nPhase 2. Although Phase 1 is complete, the most difficult portions of\nSentinel development and implementation lay ahead. To reduce the\nrisk to Phase 2 and subsequent phases of Sentinel, that the FBI must\nimplement corrective actions resulting from the problems encountered\nduring Phase 1.\n\n       It is also important to note that the FBI has taken action to\nalleviate or resolve most of the concerns identified in our first two\naudits of the Sentinel project relating to project management. We\nbelieve that the FBI\xe2\x80\x99s efforts to improve its project management\ncapabilities can help provide reasonable assurance that the Sentinel\nproject can be successfully completed, if the processes are\nimplemented as intended.\n\n      Earned Value Management\n\n      As required by the Office of Management and Budget (OMB), and\nwith Department of Justice (Department) guidance, the FBI has\nestablished an Earned Value Management (EVM) system for Sentinel.\nEVM helps manage project risks by achieving reliable cost estimates,\nevaluating progress, and allowing the analysis of project cost and\nschedule performance trends. EVM compares the current status of a\nproject, in terms of both cost and schedule, to the established cost and\nschedule baselines. Deviations between the baselines and the current\n                                  - xv -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nstatus should demonstrate the project\xe2\x80\x99s progress and the overall level\nof performance, thereby enabling a level of accountability to be\nimposed on the project. When properly implemented and utilized,\nEVM allows project management to pinpoint potential problems and\naddress them before they escalate.\n\n       The Sentinel contract requires Lockheed Martin to fully\nimplement EVM in accordance with the Sentinel EVM plan, including\nhaving an EVM system that complies with American National Standards\nInstitute (ANSI)/Electronic Industries Alliance (EIA) Standard\n748-A. 15 This allows the FBI to gather EVM data on the development\nportion of the project through monthly electronic data transfers from\nLockheed Martin.\n\n       Our review of EVM reporting from September 2006 to March\n2007 showed that the FBI has continued to implement EVM and use\nthat data to help manage Phase 1 of Sentinel. However, several\nissues decreased the effectiveness of EVM as a tool to manage the\nSentinel development contract. The most significant issue was the\nreliability of the EVM data Lockheed Martin provided the FBI. In June\n2007, the FBI rejected Lockheed Martin\xe2\x80\x99s April 2007 EVM data after\nLockheed Martin notified the FBI that it estimated that it had incurred\napproximately $64.1 million in costs during Phase 1 of Sentinel.\nBecause the EVM baseline for Phase 1 was $59.7 million, Lockheed\nMartin\xe2\x80\x99s estimate showed that its EVM system was not collecting\naccurate data on Sentinel costs as Lockheed Martin was accruing the\ncosts \xe2\x80\x93 one of the primary purposes of an EVM system.\n\n      Further, while the FBI\xe2\x80\x99s implementation of EVM comports with\nthe Department\xe2\x80\x99s guidance, it does not provide all the data that OMB\nbelieves necessary for oversight purposes. As a result of OMB\nconcerns that the FBI reprogrammed or rebaselined Phase 1 of\nSentinel without required OMB approval, we reviewed all changes to\nthe time-phased budget used to measure Sentinel\xe2\x80\x99s progress. 16 We\n       15\n           ANSI/EIA Standard 748-A is the criteria selected by the OMB for EVM\nsystems. The standard includes 32 specific criteria in 5 process areas necessary for\na sufficient EVM system: (1) organization; (2) planning, scheduling and budgeting;\n(3) accounting; (4) analysis and management reports; and (5) revisions and data\nmaintenance.\n       16\n           Reprogramming, or rebaselining, revises the project baselines and\neliminates all cost and schedule variances. Rebaselining usually occurs when a\nproject\xe2\x80\x99s progress deviates significantly from the original plan and the remaining\ntime and funds are not sufficient to complete the project.\n\n                                        - xvi -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nconcluded that the FBI had not rebaselined the project, but that\nfrequent replanning diminished the quality and usefulness of the EVM\ndata for higher-level oversight. 17\n\nIndependent Verification and Validation\n\n       In September 2006, the FBI obtained the services of Booz Allen\nHamilton (Booz Allen) to perform the independent verification and\nvalidation function for the Sentinel project. Since then, Booz Allen has\nparticipated in FBI-only project meetings and joint FBI-Lockheed\nMartin project reviews. In addition, Booz Allen has provided written\ncomments and recommendations on many project documents, and\nproduced 15 project-status briefings and monthly reports. Booz Allen\nalso produced monthly reports and biweekly briefings that were sent\ndirectly to the FBI\xe2\x80\x99s Chief Information Officer.\n\n       These reports and briefings highlight recent activities, upcoming\nevents, and the independent verification and validation team\xe2\x80\x99s view of\nthe overall status of the project, including a discussion of risks that\ncould affect the project\xe2\x80\x99s cost, schedule, or performance. The\nindependent verification and validation products also included\nrecommendations and best practices observed by Booz Allen. As of\nMay 2007, Booz Allen had made over 70 recommendations based on\nrisks and other areas it identified. Booz Allen also reported several\nproject management and oversight weaknesses that increased the\nrisks associated with Sentinel, including concerns about:\n\n       \xe2\x80\xa2    the ability of Lockheed Martin\xe2\x80\x99s developers to build Phase 1 to\n            meet the FBI\xe2\x80\x99s needs before Lockheed Martin had completed\n            the design; and\n\n       \xe2\x80\xa2    the quality of most of the test procedures submitted by\n            Lockheed Martin for the test readiness review.\n\nRisk Management\n\n      The purpose of risk management is to assist the project\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\nprogram. A risk management plan should identify procedures used to\n\n       17\n           Replanning revises the time-phased budget for completing the work\nremaining in a project without any changes to the total scope of work, baselined\ncost, or scheduled completion of the project.\n                                       - xvii -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nmanage risk throughout the life of the program. Risks are categorized\nby severity and identified as either open or resolved. Open risks are\ntracked in a risk register maintained by the risk manager until\nresolved.\n\n       The FBI has created a list of 16 risks it is monitoring that are\nassociated with the Sentinel project. While the FBI\xe2\x80\x99s establishment of\na risk management program is a positive step, we have several\nconcerns with the program\xe2\x80\x99s implementation, including irregular\nreview of the risks, a lack of contingency plans, and incomplete plans\nto mitigate identified risks.\n\n       As required, the FBI has developed plans to mitigate the highest\nranked risks. However, the mitigation plans for these top-ranked risks\nare incomplete because they do not include a method to measure\nwhether the steps in the mitigation plan are effective. In addition, the\nFBI has developed contingency plans for only 50 percent of the risks\nthat are required to have such plans. The Sentinel risk manager said\nthat the mitigation plans do not include a method to measure their\neffectiveness because it is very difficult to develop accurate measures.\nHowever, we believe that risk management is critical to the success of\nSentinel.\n\n      When a new risk is opened, the Sentinel Risk Review Board\nassigns an owner to that risk to develop a mitigation and contingency\nplan and to ensure that the mitigation plan is implemented. We\nsupport the idea of having one person taking a lead role \xe2\x80\x93 having \xe2\x80\x9crisk\nownership\xe2\x80\x9d in managing each risk. However, this process does not\nappear to be functioning as intended. During interviews with risk\nowners we found that some could not explain the nature of the risks\nthey had been assigned, while others said they thought they did not\nhave the authority or capability to implement a risk\xe2\x80\x99s mitigation\nstrategy.\n\n       With respect to currently identified project risks, we view\nSentinel\xe2\x80\x99s ability to interface with existing FBI systems from which it\nwill extract data as a potentially significant challenge. In Phase 1,\nLockheed Martin had unanticipated problems connecting Sentinel with\nACS because there was no detailed documentation describing how ACS\nworks. Consequently, Lockheed Martin had to create the\ndocumentation itself. The Sentinel PMO did not anticipate this task\nbecause the managers of ACS told the PMO that all of the necessary\ndocumentation existed. Because this unexpected task strained both\nthe Phase 1 budget and schedule, the PMO is now tracking\n                                 - xviii -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\ndocumentation for the other systems with which Sentinel must\ninterface as a risk.\n\nBill of Materials\n\n      A bill of materials is a complete listing of all parts, assemblies,\nequipment, and software that make up an IT system, as well as the\ninformation required to construct new units of the system or order\nspare parts for it. Contractually, Lockheed Martin is required to\npurchase the list of items on the bill of materials it submitted with its\nproposal. As is to be expected in a project as complex as Sentinel,\nLockheed Martin has needed to revise the bill of materials for several\nreasons including revisions to the project\xe2\x80\x99s design.\n\n        An accurate bill of materials is critical to ensuring the FBI\napproves all changes to Sentinel\xe2\x80\x99s design and that an accurate list of\nSentinel\xe2\x80\x99s components is available to the FBI to use when reviewing\nLockheed Martin\xe2\x80\x99s invoices. Because of the importance of an accurate\nbill of materials, the PMO established a Bill of Materials Deviation\nPolicy, which establishes the criteria for what constitutes a change to\nthe bill of materials and the criteria to assess whether Lockheed Martin\nneeds the FBI\xe2\x80\x99s approval prior to making a change to the bill of\nmaterials.\n\n       According to the Sentinel Contracting Officer\xe2\x80\x99s Technical\nRepresentative, Lockheed Martin also established its own internal\nprocedures for making changes to the bill of materials. However,\nLockheed Martin employees viewed internal approval of changes as\nfinal approval to change the bill of materials and therefore did not\nsubmit all changes to the FBI as required. The PMO is aware of this\nand other shortcomings and has established a joint Lockheed Martin-\nFBI team to revise Sentinel\xe2\x80\x99s bill of materials policies and procedures\nto address these issues.\n\n       In addition to the issues with which the FBI was aware, we\nidentified a significant flaw in Sentinel\xe2\x80\x99s Bill of Materials Deviation\npolicy. While the policy states that a deviation is any addition or\ndeletion to the bill of materials, the policy does not require FBI\napproval for additions or deletions. Instead, the policy only requires\napproval for cost increases and changes to purchase dates for items\nalready on the bill of materials. FBI officials agreed that the deviation\npolicy needs to address this issue.\n\n\n                                  - xix -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\nLessons Learned\n\n       Although Phase 1 was slightly delayed and over budget, the FBI\nappears to have learned important lessons that may allow it to reduce\nthe risk to subsequent phases. We examined what the FBI had\nlearned about integrating COTS software, interfacing with ACS,\nmeasuring progress, clarifying with Lockheed Martin the details of\nwhat must be done to meet a given requirement, scheduling reviews\nof Sentinel\xe2\x80\x99s design, and ensuring Sentinel\xe2\x80\x99s schedule accurately\nmeasures the project\xe2\x80\x99s progress. We believe that if the FBI\nimplements the planned corrective actions resulting from these\nlessons, we believe the risk to subsequent phases of Sentinel should\nbe reduced.\n\nActions Taken on Prior OIG Recommendations\n\n      During our audit, we examined the FBI\xe2\x80\x99s actions to address\nrecommendations we made in our audit reports on Sentinel and found\nthat the FBI was, in general, taking action to resolve our concerns.\nBased on the FBI\xe2\x80\x99s actions, we closed 5 of the 12 recommendations.\nWe also noted that the FBI agreed with the remaining\nrecommendations and was in the process of taking corrective action.\nOur recommendations dealt generally with the FBI\xe2\x80\x99s need to complete\nrequired planning and general management oversight policies and\nprocedures for Sentinel in order to help ensure its success.\n\n       In our March 2006 report, we made seven recommendations, of\nwhich four have been closed. The FBI continues to address the\nremaining three recommendations that involve completing a system\nsecurity plan, filling vacant positions within the Sentinel PMO, and\ncompleting comprehensive training plans for the project. We found\nduring our audit that the FBI had completed its independent\nverification and validation plan, which partially closes one of the\nrecommendations, but the system security plan still needs to be\ncompleted for full closure of the recommendation.\n\n      In our December 2006 report, we made five recommendations,\none of which has been closed. The four remaining recommendations\nwere that the FBI should: (1) develop contingency plans as required\nby the Sentinel Risk Management Plan, (2) provide experienced\ncontractors to conduct an independent verification and validation\nprocess throughout the Sentinel project, (3) determine the appropriate\namount of management reserve for each phase of the project, and\n\n                                - xx -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n(4) fill the vacant Sentinel PMO positions needed to complete Phase 1\nof the project.\n\n      As discussed earlier, we found that the FBI has improved in\ndeveloping contingency plans as required by the Sentinel Risk\nManagement Plan. However, as noted, we continue to have concerns\nabout the FBI\xe2\x80\x99s management of risks in the Sentinel project. We also\nfound that the FBI has begun utilizing a contractor to perform\nindependent verification and validation and the contractor offered\nnumerous recommendations during Sentinel\xe2\x80\x99s Phase 1. Because the\nindependent verification and validation is being performed, this\nrecommendation will be closed through our normal audit follow-up\nprocess.\n\n      For the two remaining open recommendations from our\nDecember 2006 report, we found that the FBI had not determined\nmanagement reserve amounts for the remaining phases of Sentinel\nand did not fully staff the Sentinel PMO. Because Sentinel consists of\nfour phases, each phase will have a separate task order and its own\nfunding. At the end of our fieldwork for the current review, the PMO\nwas still in the planning stage for Phase 2, which includes a risk\nanalysis and cost implications for those risks. As a result, the\nmanagement reserve had not yet been determined.\n\n      Regarding the staffing of the Sentinel PMO, we found that the\nFBI continued to make progress in its hiring of personnel. We found\nthat 70 of 76 positions had been filled, and 3 individuals were pending\nfor the remaining positions. The FBI also was planning for changes to\nbe made in the PMO as the project evolved from planning and\ndevelopment to operations and maintenance.\n\n      We will continue to monitor the progress made by the FBI in\nimplementing the remaining recommendations identified in our prior\naudits to ensure that the required planning and general management\noversight policies and staff continue to be utilized effectively.\n\nConclusion\n\n       The FBI deployed the two most critical deliverables planned for\nthe first phase of the Sentinel project \xe2\x80\x93 a web-based portal to ACS and\npersonal and squad workboxes that summarizes users\xe2\x80\x99 cases and\nleads. These deliverables were completed slightly behind schedule and\nover budget. However, the most difficult portions of Sentinel to\n\n                                 - xxi -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nimplement lay ahead and several tasks originally planned for Phase 1\nhave been deferred to later phases.\n\n      We will monitor the quality of the Phase 1 product in our next\nSentinel audit as FBI employees gain experience in using the portal\nand workboxes.\n\n      We believe that the lessons learned during Phase 1, combined\nwith the processes the FBI has established to manage and control the\nSentinel project, can help provide reasonable assurance of Sentinel\xe2\x80\x99s\nultimate success. However, rigorous implementation of processes and\nlessons learned is necessary to minimize any significant deviations\nfrom cost, schedule, technical, or performance baselines.\n\nOIG Recommendations\n\n      In this third Sentinel audit, we make nine recommendations to\nthe FBI to help ensure the success of the Sentinel case management\nsystem and to better manage project costs. Among the\nrecommendations are that the FBI limit the scope and duration of\nfuture project phases to make them more manageable; adjust the\namount of task orders to reflect changes in project requirements;\ninclude both initial and revised performance baselines in EVM reports;\nimprove the requirements for Lockheed Martin\xe2\x80\x99s cost reporting;\nimprove risk management and the tracking of project deficiencies; and\nimprove the bill of materials process.\n\n\n\n\n                                 - xxii -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n                              TABLE OF CONTENTS\n\n\nINTRODUCTION .......................................................................... 1\n     Background ....................................................................... 1\n     Sentinel............................................................................. 4\n     Sentinel\xe2\x80\x99s Phased Approach.................................................. 5\n     FBI Management Processes and Controls................................ 7\n     Earned Value Management System........................................ 8\n     Prior Reports ...................................................................... 9\n\nFINDINGS AND RECOMMENDATIONS ........................................... 13\n\n       Finding 1: Phase 1 Schedule, Cost, and Performance ............ 13\n             Schedule Delay ........................................................ 14\n             Causes for Delay ...................................................... 15\n             Tight Schedule Affected Implementation of\n                 LCMD Processes ................................................. 23\n             Lockheed Martin\xe2\x80\x99s Cost Performance ........................... 25\n             Phase 1 Deliverables ................................................. 28\n             Conclusion............................................................... 37\n             Recommendations .................................................... 38\n\n       Finding 2: Phase 2 Planning and Management Issues ............ 39\n             Management Controls and Processes ........................... 39\n             Planning for Phase 2 and Lessons Learned ................... 60\n             Actions Taken on Previous OIG Recommendations......... 64\n             Conclusion............................................................... 69\n             Recommendations .................................................... 69\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 71\n\nSTATEMENT ON INTERNAL CONTROLS ......................................... 72\n\nAPPENDIX 1:          OBJECTIVES, SCOPE, AND METHODOLOGY ............ 73\n\nAPPENDIX 2:          ACRONYMS........................................................ 74\n\nAPPENDIX 3:          THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT DIRECTIVE .... 75\n\nAPPENDIX 4:          PRIOR REPORTS ON THE FBI\xe2\x80\x99S INFORMATION\n                     TECHNOLOGY .................................................... 83\n\n\n\n\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                REDACTED FOR PUBLIC RELEASE\n\n\nAPPENDIX 5:    COMPARISON OF ACS, WACS, AND PHOENIX\n               FUNCIONALITY TO SENTINEL\xe2\x80\x99S\n               PHASE 1 DELIVERABLES...................................... 92\n\nAPPENDIX 6:    INDEPENDENT VERIFCATION AND\n               VALIDATION ISSUES AND RECOMMENDATIONS ..... 98\n\nAPPENDIX 7:    RISK REGISTER OPEN RISKS ............................. 109\n\nAPPENDIX 8:    PMO STAFF POSITIONS AND\n               RESPONSIBILITIES ........................................... 123\n\nAPPENDIX 9:    THE FEDERAL BUREUA OF INVESTIGATION\xe2\x80\x99S\n               RESPONSE TO THE DRAFT REPORT ..................... 125\n\nAPPENDIX 10:   OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S\n               ANALYSIS AND SUMMARY OF ACTIONS\n               NECESSARY TO CLOSE THE REPORT ................... 129\n\n\n\n\n                REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n                              INTRODUCTION\n\nBackground\n\n       On March 16, 2006, the Federal Bureau of Investigation (FBI)\nannounced that it had awarded a contract to Lockheed Martin Services\n(Lockheed Martin) to develop the Sentinel information and\ninvestigative case management system. The cost of the four phases of\nthe Lockheed Martin contract totaled $305 million, and the FBI\nestimated that it would cost an additional $120 million to staff the\nFBI\xe2\x80\x99s Sentinel Program Management Office (PMO), provide contractor\nsupport, and establish a management reserve for contingencies,\nbringing the total estimated cost of the Sentinel project to $425\nmillion. The initial schedule for the Lockheed Martin contract called for\nall phases to be completed in December 2009, or 45 months from the\nstart of work.\n\n      On June 19, 2007, the FBI announced that it had fully deployed\nPhase 1 of Sentinel. The goal of this first phase of the project was to\nprovide FBI employees with a user-friendly, web-based access to\ninformation currently in the FBI\xe2\x80\x99s antiquated Automated Case Support\n(ACS) system. 18 Phase 1 features a personal workbox that\nsummarizes a user\xe2\x80\x99s cases and leads. 19 It also provides user-friendly\nsearch capabilities and a squad workbox, which allows supervisors to\nbetter manage their resources and assign leads with the click of a\nmouse.\n\n      According to the Sentinel contract, Lockheed Martin can be\nrewarded for meeting established goals in four areas: project\nmanagement, cost management, schedule, and technical performance.\nThe award fee cannot exceed 11 percent of the $232.4 million total\ndevelopment costs for Sentinel, or approximately $26 million, and will\nbe allocated across the four areas based on risk. This type of contract\nand award fee structure is common for large government IT projects.\n\n     The Sentinel project, which uses commercial-off-the-shelf\n(COTS) components, is intended to provide the FBI with a web-\nenabled electronic case management system that includes records\n\n       18\n          ACS is the FBI\xe2\x80\x99s current case management system. Deployed in 1995,\nACS is a mainframe system.\n       19\n          A lead is a request from any FBI field office or headquarters for assistance\nin the investigation of a case.\n\n                                         -1-\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nmanagement, workflow management, evidence management, search\nand reporting capabilities, and information sharing capabilities with\nother law enforcement agencies and the intelligence community.\nAccording to the FBI Director, \xe2\x80\x9cSentinel will strengthen the FBI\xe2\x80\x99s\ncapabilities by replacing its primarily paper-based reporting system\nwith an electronic system designed for information sharing. Sentinel\nwill support our current priorities, including our number one priority:\npreventing terrorist attacks.\xe2\x80\x9d 20\n\n      The Sentinel project follows the FBI\xe2\x80\x99s unsuccessful efforts to\ndevelop an automated case management system called the Virtual\nCase File (VCF), which was intended to replace the FBI\xe2\x80\x99s ACS system.\nBecause of the FBI\xe2\x80\x99s failed $170 million VCF project, congressional\nappropriations and oversight committees questioned whether the FBI\ncould successfully develop and implement a case management system\nof Sentinel\xe2\x80\x99s magnitude. Given the importance of the Sentinel project,\nthe congressional appropriations committees and the FBI Director\nasked the Department of Justice Office of the Inspector General (OIG)\nto continually review and report on the progress of the FBI\xe2\x80\x99s\ndevelopment of Sentinel.\n\n      This report is the third OIG report on Sentinel, and covers the\ndevelopment of Phase I of the project, planning for Phase 2, and\nprogress made by the FBI in resolving the concerns identified in our\ntwo previous audits. The previous two reports focused on the planning\nfor Sentinel, the FBI\xe2\x80\x99s processes and controls for managing information\ntechnology (IT) projects, and the contract with Lockheed Martin to\ndevelop Sentinel.\n\n       Over the past few years, the OIG and others have reviewed\nvarious aspects of the FBI\xe2\x80\x99s IT infrastructure and noted the critical\nneed for the FBI to modernize its case management system. In\nprevious reports, the OIG concluded that current FBI systems do not\npermit agents, analysts, and managers to readily access and share\ncase-related information throughout the FBI, and without this\ncapability the FBI cannot perform its critical missions as efficiently and\neffectively as it should. 21\n\n\n\n       20\n         FBI Press Release entitled FBI Announces Award of Sentinel Contract,\nMarch 16, 2006.\n       21\n          For a more complete discussion of the OIG\xe2\x80\x99s reports on Sentinel, see the\nPrior Reports section on page 9.\n                                       -2-\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n       In its mission-needs statement for Sentinel, the FBI said that its\ncurrent case management system must be upgraded to utilize new\ninformation technologies by moving from a primarily paper-based case\nmanagement process to an electronic records system. The FBI noted\nthat this transition would enable agents and analysts to more\neffectively perform their investigative and intelligence duties.\n\n      The FBI\xe2\x80\x99s attempt to move from a paper-based to an electronic\ncase management system began with the Trilogy project in mid-2001.\nThe objectives of Trilogy were to update the FBI\xe2\x80\x99s aging and limited IT\ninfrastructure; provide needed IT applications for FBI agents, analysts,\nand others to efficiently and effectively do their jobs; and lay the\nfoundation for future IT improvements. Trilogy consisted of upgrading\nthe FBI\xe2\x80\x99s: (1) hardware and software; (2) communications network;\nand (3) the five most important investigative applications, including\nthe antiquated ACS. The first two components of Trilogy were\ncompleted in April 2004 at a cost of $337 million, almost $100 million\nmore than originally planned. Among other improvements, the FBI\nenhanced its IT infrastructure with new desktop computers for its\nemployees and deployed a wide area network to enhance electronic\ncommunications among FBI offices and with other law enforcement\norganizations.\n\n      In early 2004, after nearly 3 years of development, the FBI\nengaged several external organizations and contractors to evaluate the\nVirtual Case File (VCF), the third component of the Trilogy project.\nBased on critical comments by these organizations, the FBI began to\nconsider alternative approaches to developing the VCF, including\nterminating the project or developing a completely new case\nmanagement system. In late 2004, the FBI commissioned Aerospace\nCorporation to perform a study evaluating the functionality of COTS\nand government off-the-shelf technology to meet the FBI\xe2\x80\x99s case\nmanagement needs. Aerospace followed this study with an\nindependent verification and validation (IV&V) report on the VCF,\nissued in January 2005, which recommended that the FBI pursue a\nCOTS-based, service-oriented architecture. 22 The IV&V report\n\n\n      22\n          IV&V is a standard information technology investment management (ITIM)\nprocess whereby an independent entity assesses the system as it is developed in\norder to evaluate if the software will perform as intended. A service-oriented\narchitecture is a collection of services that communicate with each other. The\ncommunication can involve a simple data exchange or two or more services\ncoordinating on an activity.\n\n                                      -3-\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nconcluded that a lack of effective engineering discipline led to\ninadequate specification, design, and development of the VCF.\n\n       The FBI modified its approach to developing the VCF, and in late\n2004 divided the project into Initial Operational Capability and Full\nOperational Capability segments. The Initial Operational Capability\nsegment assessed the VCF project and involved a pilot test of the most\nadvanced version of the VCF in an FBI field office. In February 2005,\nthe OIG issued a report on the Trilogy project questioning the FBI\xe2\x80\x99s\nability to complete and deploy the VCF. 23\n\n      The FBI issued a final report on the Initial Operational Capability\nat the end of April 2005. 24 According to the report, the FBI terminated\nwork on the VCF due to the lack of progress on its development. The\nFBI stated that it was concerned that the computer code being used to\ndevelop the VCF lacked a modular structure, thereby making\nenhancements and maintenance difficult. In addition, the FBI report\nsaid that the \xe2\x80\x9cmarketplace\xe2\x80\x9d had changed significantly since the VCF\ndevelopment had begun, and appropriate COTS products, which were\npreviously unavailable, were now available.\n\nSentinel\n\n      Similar to what the FBI had envisioned for the final version of\nthe VCF, Sentinel is intended to not only provide a new electronic case\nmanagement system, transitioning the FBI files from paper-based to\nelectronic records, but also to result in streamlined processes for\nemployees to maintain investigative lead and case data. In essence,\nthe FBI expects Sentinel to be an integrated system supporting the\nprocessing, storage, and management of information to allow the FBI\nto more effectively perform its investigative and intelligence\noperations.\n\n      According to the FBI, the use of Sentinel in the future will\ndepend on the system\xe2\x80\x99s ability to be easily adapted to evolving\ninvestigative and intelligence business requirements over time.\n\n       23\n           Department of Justice, Office of the Inspector General, The Federal Bureau\nof Investigation\xe2\x80\x99s Management of the Trilogy Information Technology Modernization\nProject, Audit Report Number 05-07, February 2005.\n       24\n           Department of Justice, Federal Bureau of Investigation. Federal Bureau of\nInvestigation: Virtual Case File Initial Operational Capability Final Report, version\n1.0, April 29, 2005.\n\n                                         -4-\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nTherefore, the FBI has been working to develop Sentinel using a\nflexible software architecture that allows economical and efficient\nchanges to software components as needed in the future. According\nto the FBI, a key element of the Sentinel architecture contributing to\nachieving this flexibility is the use of COTS and government-off-the-\nshelf applications software. The FBI has been working to integrate the\noff-the-shelf products with an Oracle database, thereby separating the\napplications code from the underlying data being managed in order to\nsimplify future upgrades.\n\n      FBI agents are required to document investigative activity and\ninformation obtained during an investigation. The case file is the\ncentral system for holding these records and managing investigative\nresources. As a result, the case file includes documentation from the\ninception of a case to its conclusion. FBI agents and analysts currently\ncreate paper files in performing their work, making the process of\nadding a document to a case file a highly paper-intensive, manual\nprocess. Files for major cases can contain over 100,000 documents,\nleads, and evidence items.\n\n      Currently, the documentation within case files is electronically\nmanaged through the ACS system, which maintains electronic copies\nof most documents in the case file and provides references to\ndocuments that exist in hardcopy only. Upon approval of a paper\ndocument, an electronic copy of the completed document is uploaded\nto the electronic case file of the ACS system. However, ACS is a\nseverely outdated system that is cumbersome to use effectively and\ndoes not facilitate the searching and sharing of information. The\nlimited capabilities of the ACS mean that agents and analysts cannot\neasily acquire and link information across the FBI.\n\n       In contrast, the FBI expects Sentinel to greatly enhance the\nusability of case files for agents and analysts, both in terms of adding\ninformation to case files as well as searching for case information. FBI\nsupervisors, reviewers, and others involved in the approval process\nwill also be able to review, comment, and approve the insertion of\ndocuments into appropriate FBI electronic files through Sentinel.\n\nSentinel\xe2\x80\x99s Phased Approach\n\n      As originally conceived, the FBI expected to develop the Sentinel\nproject in 4 partially overlapping phases, each lasting approximately\n12- to 16-months. However, at the time of our audit the FBI was\nreevaluating the number of phases and the capabilities each phase will\n                                  -5-\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                             REDACTED FOR PUBLIC RELEASE\n\n\ndeliver as it gained experience with the project\xe2\x80\x99s development. Each\nphase, when deployed, was to result in a stand-alone set of\ncapabilities that could be added to by subsequent phases to complete\nthe Sentinel project. The following chart shows the FBI\xe2\x80\x99s original\nconception of the four phases and their general timeframes.\n\n\n                          Conceptual SENTINEL Schedule with\n                                     Capabilities\n\n\n                                            New Electronic Case File                                              Phase 4\n                                               (ECF) Capability\n\n                                           \xc2\x83 Automated Workflow                                      Jan \xe2\x80\x9809                        Dec \xe2\x80\x9809\n                                           \xc2\x83 Document Management\n                                           \xc2\x83 Searching and Reporting                                             New Investigative Case\n                                           \xc2\x83 PKI & Role Based Access                                               Management (ICM)\n               New Portal and              \xc2\x83 Digital Signatures                         Phase 3                        Capability\n                Foundational               \xc2\x83 Records Management\n                Components                 \xc2\x83 Interfaces to Legacy ECF                                            \xc2\x83 Collected Items Mgmt\n                                           \xc2\x83 Start Data Migration (New      Apr \xe2\x80\x9808                 Feb \xe2\x80\x9809      \xc2\x83 Document Scanning\n          \xe2\x80\xa2 SENTINEL Portal with           and Open Cases)                              New Universal            \xc2\x83 Interfaces to Legacy ICM\n          access to ACS                    \xc2\x83 UNI Data Cleansing                          Index (UNI)             Systems\n          \xe2\x80\xa2 Case \xe2\x80\x9cWorkbox\xe2\x80\x9d                                                                Capability             \xc2\x83 Migration of ICM Data\n          \xc2\x83 Components of                                                                                        (Closed Cases)\n          Service-Oriented                                                           \xc2\x83 UNI Data Migration        \xc2\x83 Retirement of Legacy\n                                      Feb \xe2\x80\x9807                            May \xe2\x80\x9808\n          Architecture\n                                                 Phase 2                             \xc2\x83 Interfaces to Legacy      Systems\n          \xc2\x83 ECF Data Cleansing                                                       UNI Systems\n          (formatting)                                                               \xc2\x83 Enhanced Search\n                                                                                     & Improved Indexing\n                                                                                     \xc2\x83 ICM Data Cleansing\n\n                  Phase 1            Apr \xe2\x80\x9807\n     Mar \xe2\x80\x9806\n\n\n\n\n     Mar \xe2\x80\x9806                     Feb \xe2\x80\x9807                                   Apr \xe2\x80\x9808                     Jan \xe2\x80\x9809                       Dec 2009\n\n\n\n\n   Source: FBI\n\n      Phase 1 introduced the Sentinel web-based portal, which\nprovides access to data from the existing ACS system. Eventually,\nthrough incremental changes in subsequent phases, the portal will\ndisplay data from a newly created investigative case management\nsystem. Phase 1 also provides a case management workbox that\npresents a summary of all cases a user is involved with rather than\nrequiring the user to perform a series of queries to find the cases as\nwas necessary when only ACS was used. The Findings and\nRecommendations section of this report contains a more\ncomprehensive discussion of the Phase 1 deliverables.\n\n     Phase 2, the most ambitious and technically difficult of the\nphases, will begin the transition to paperless case records and the\nimplementation of electronic records management. A workflow tool\n                                                            -6-\n\n                             REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nwill support the flow of electronic documents through the review and\napproval cycles, and a new security framework will be implemented to\nsupport access controls and electronic signatures. Additionally, in\nPhase 2, the FBI will begin migrating data from the ACS electronic\ncase file to Sentinel and preparing data from the Universal Index\n(discussed below) to be migrated to Sentinel in Phase 3.\n\n      Phase 3 will replace the Universal Index (UNI), which is used to\ndetermine if any information about a person, place, or thing exists\nwithin the FBI\xe2\x80\x99s current case management system. The UNI is a\ndatabase of persons, places, and things that have relevance to an\ninvestigative case. While the current UNI supports only a limited\nnumber of attributes, Phase 3 will expand the number of attributes\nwithin the information management system. 25 Enhancing the\nattributes will allow more precise and comprehensive searching within\nSentinel and increase the FBI\xe2\x80\x99s ability to \xe2\x80\x9cconnect the dots.\xe2\x80\x9d\n\n      Phase 4 will implement Sentinel\xe2\x80\x99s new case management and\nreporting capabilities, and will consolidate the various case\nmanagement components into one overall system. Shortly after the\nend of this phase, the legacy systems will be shut down and the\nremaining cases in the legacy ACS electronic case file will be migrated\nto the new case management system. In this phase, as in all the\nothers, changes to the Sentinel portal will be required to accommodate\nthe new features being introduced.\n\nFBI Management Processes and Controls\n\n      In the early stages of the Trilogy project, the OIG and U.S.\nGovernment Accountability Office (GAO) recommended that the FBI\nestablish Information Technology Investment Management (ITIM)\nprocesses to guide the development of its IT projects. In response, in\n2004 the FBI issued its Life Cycle Management Directive (LCMD). The\nLCMD covers the entire IT system life cycle, including planning,\nacquisition, development, testing, and operations and maintenance.\nAs a result, the LCMD provides the framework for standardized,\nrepeatable, and sustainable processes and best practices in developing\nIT systems. Application of the IT systems life cycle within the LCMD\ncan also enhance guidance for IT programs and projects, leverage\n\n       25\n           An attribute defines a property of an object within a case file. Examples of\nattributes are eye color, height, and nationality when describing an individual or\naddress, floor, and room number when describing a specific location.\n\n                                         -7-\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\ntechnology, build institutional knowledge, and ensure that\ndevelopment is based on industry and government best practices. The\nLCMD is comprised of four integrated components: life cycle phases,\ncontrol gates, project level reviews, and key support processes. A\ndiagram showing how these components relate to each other and a\ndescription of the life cycle phases, control gates, and the project level\nreviews mentioned throughout this report are contained in Appendix 3.\n\n      The LCMD established policies and guidance applicable to all FBI\nIT programs and projects, including Sentinel. As we discussed in our\nMarch 2006 report on Sentinel, we believe the structure and controls\nimposed by the LCMD can help prevent many of the problems\nencountered during the failed VCF effort. Since our March 2006 report\non Sentinel, the FBI has further refined its LCMD and is applying the\nrevised directive to Sentinel.\n\nEarned Value Management System\n\n      Earned Value Management (EVM) is a tool that measures the\nperformance of a project by comparing the variance between\nestablished cost, schedule, and performance baselines to what is\nactually taking place. These variances are measured periodically to\ngive project managers a timely perspective on the status of a project.\nEVM then can provide an early warning that a project is heading for\ntrouble. EVM reporting is an important risk-management tool for a\nmajor IT development project such as Sentinel.\n\n      In August 2005, the Office of Management and Budget (OMB)\nissued a memorandum requiring all federal agency Chief Information\nOfficers (CIOs) to manage and measure all major IT projects using an\nEVM system. Additionally, all agencies were to develop policies for full\nimplementation of EVM on IT projects by December 31, 2005. The\nDepartment of Justice issued its EVM policy in July 2006. In response\nto these requirements, the FBI developed a Sentinel Program EVM\nCapability Implementation Plan in August 2006 and subsequently\nacquired a tool to implement an EVM system for the Sentinel project.\n\n      The OMB EVM memorandum also required that integrated\nbaseline reviews (IBRs) be performed for any projects that require\nEVM in order to establish performance management baselines against\nwhich a project\xe2\x80\x99s performance can be measured. 26 Properly executed,\n\n      26\n          The performance measurement baseline is a total, time-phased budget\nplan against which program performance is measured.\n                                      -8-\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nIBRs are an essential element of a program manager\xe2\x80\x99s risk-\nmanagement approach. IBRs are intended to provide both the\ngovernment\xe2\x80\x99s and the contractor\xe2\x80\x99s program managers with a mutual\nunderstanding of the project\xe2\x80\x99s performance measurement baseline and\nagreement on a plan of action to resolve identified risks.\n\n     According to OMB guidance, the objective of an IBR is to confirm\ncompliance with the following business rules:\n\n     \xe2\x80\xa2   The technical scope of work is complete and consistent with\n         authorizing documents;\n\n     \xe2\x80\xa2   Key schedule milestones are identified;\n\n     \xe2\x80\xa2   Supporting schedules reflect a logical flow to accomplish the\n         technical work scope;\n\n     \xe2\x80\xa2   Resources, including money, facilities, personnel, and skills,\n         are adequate and available for the assigned tasks;\n\n     \xe2\x80\xa2   Tasks are planned and can be measured objectively, relative\n         to technical progress;\n\n     \xe2\x80\xa2   Underlying performance measurement baseline rationales are\n         reasonable; and\n\n     \xe2\x80\xa2   Managers have appropriately implemented required\n         management processes.\n\nPrior Reports\n\n      Over the past few years, the OIG and other oversight entities\nhave issued reports examining the FBI\xe2\x80\x99s attempts to update its case\nmanagement system. In these reports the OIG, the GAO, the House\nof Representatives\xe2\x80\x99 Surveys and Investigations Staff, and others have\nmade a variety of recommendations focusing on the FBI\xe2\x80\x99s\nmanagement of its IT projects, particularly the VCF portion of the\nTrilogy project, and the continuing need to replace the outdated ACS\nsystem. More recently the OIG has reported on Sentinel, the\nsuccessor to the VCF project. A discussion of key points from these\nreports follows. (A more comprehensive description of the reports\nappears in Appendix 4.)\n\n\n                                  -9-\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n      In the first OIG Sentinel report issued in March 2006, we\ndiscussed the FBI\xe2\x80\x99s pre-acquisition planning for the Sentinel project,\nincluding the approach, design, cost, funding sources, time frame,\ncontracting vehicle, and oversight structure. 27 In reviewing the\nmanagement processes and controls the FBI had applied to the pre-\nacquisition phase of Sentinel, the OIG found that the FBI developed IT\nplanning processes that, if implemented as designed, could help the\nFBI successfully complete Sentinel.\n\n      In particular, the OIG found that the FBI had made\nimprovements in its ability to plan and manage a major IT project by\nestablishing ITIM processes, developing a more mature Enterprise\nArchitecture, and establishing a PMO dedicated to the Sentinel project.\n\n      However, at that time the OIG identified several concerns about\nthe FBI\xe2\x80\x99s management of the Sentinel project, including: (1) the\nincomplete staffing of the Sentinel PMO, (2) the FBI\xe2\x80\x99s ability to\nreprogram funds to complete the second phase of the project without\njeopardizing its mission-critical operations, (3) Sentinel\xe2\x80\x99s ability to\nshare information with external intelligence and law enforcement\nagencies and provide a common framework for other agencies\xe2\x80\x99 case\nmanagement systems, (4) the lack of an established EVM process,\n(5) the FBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs, and (6) the\nlack of complete documentation required by the FBI\xe2\x80\x99s information\ntechnology investment management processes.\n\n       In December 2006, the OIG released the second in a series of\naudit reports that examined the FBI\xe2\x80\x99s development and\nimplementation of the Sentinel project. 28 This report discussed:\n(1) the progress the FBI made in resolving the concerns identified in\nthe first OIG report on the planning for Sentinel, and (2) whether the\ncontract with Lockheed Martin and the FBI\xe2\x80\x99s ITIM processes and\nproject management are likely to contribute to the successful\nimplementation of Sentinel. The OIG found that the FBI resolved most\nof the concerns the OIG identified in its first Sentinel audit, although\nthe audit reported that some aspects of those concerns as well as\n\n       27\n          Department of Justice, Office of the Inspector General. The Federal Bureau\nof Investigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls Over the Sentinel Case\nManagement System, Audit Report Number 06-14, March 2006.\n       28\n           Department of Justice, Office of the Inspector General. Sentinel Audit II:\nStatus of the Federal Bureau of Investigation\xe2\x80\x99s Case Management System, Audit\nReport Number 07-03, December 2006.\n\n                                        - 10 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nsome new concerns identified in the second audit merited continued\nmonitoring. Specifically, the OIG found that the FBI had made\nprogress in: (1) establishing cost tracking and control processes,\n(2) implementing an Earned Value Management (EVM) system to help\nmeasure progress toward project baselines, (3) developing an IV&V\nplan, (4) developing information sharing capabilities, and (5) hiring\nmore PMO staff.\n\n       Among the areas that warranted continued monitoring by the\nFBI, the OIG, and other oversight entities were the: (1) funding of the\nSentinel project and the effect on the FBI\xe2\x80\x99s operations or other\nprojects if a reprogramming of funds was required, (2) accuracy of the\nestimated cost of the project, (3) availability of contingency plans for\nidentified project risks, and (4) completion of Sentinel PMO staffing.\n\n      In May 2006, the GAO released a report critical of the FBI\xe2\x80\x99s\ncontrols over costs and assets of its Trilogy project. 29 The GAO found\nthat the FBI\xe2\x80\x99s review and approval process for Trilogy contractor\ninvoices did not provide an adequate basis for verifying that goods and\nservices billed were actually received and that the amounts billed were\nappropriate, leaving the FBI highly vulnerable to payments of\nunallowable costs. These costs included first-class travel and other\nexcessive airfare costs, incorrect charges for overtime hours, and\ncharges for which the contractors could not document costs incurred.\nThe GAO found about $10 million in unsupported and questionable\ncosts. The GAO also found that the FBI failed to establish controls to\nmaintain accountability over equipment purchased for the Trilogy\nproject. According to the GAO, poor property management led to\n1,200 missing pieces of equipment valued at $7.6 million.\n\n       In July 2007, the GAO issued a report on the extent to which the\nFBI had established best practices for acquiring Sentinel and\nestimating the project\xe2\x80\x99s schedule and costs. 30 The GAO concluded\nthat, in general, the FBI had best practices in place for acquiring IT\nsystems, including practices for evaluating offers and awarding\ncontracts. In contrast, our audit examined the FBI\xe2\x80\x99s implementation of\n\n      29\n          U.S. Government Accountability Office. Federal Bureau of Investigation:\nWeak Controls over Trilogy Project Led to Payment of Questionable Contractor Costs\nand Missing Assets, Report Number GAO-06-306, May 2006.\n      30\n          U.S. Government Accountability Office, Information Technology: FBI\nFollowing a Number of Key Acquisition Practices on New Case Management System\nbut Improvements Still Needed, July 2007.\n\n                                      - 11 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nits policies and procedures for managing the development of Sentinel,\nincluding several related to the best practices reviewed by the GAO.\nBecause our audit focused on how these policies and procedures were\nactually implemented, our findings differ from the GAO\xe2\x80\x99s because we\nfound areas of inadequate implementation.\n\n\n\n\n                                - 12 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n                 FINDINGS AND RECOMMENDATIONS\n\nFinding 1: Phase 1 Schedule, Cost, and Performance\n\n      Phase 1 of Sentinel, deployed on June 19, 2007, delivered\n      two key components of the FBI\xe2\x80\x99s new information and\n      investigative case management system: a web-based\n      portal to ACS data and workboxes to aid in case\n      management. However, Phase 1 took about 2 months\n      longer than scheduled, cost slightly more than the FBI\n      expected, and delivered less than originally planned. Our\n      audit found four main causes for the delay, including:\n      (1) unrealistic schedule expectations by the FBI,\n      (2) Lockheed Martin\xe2\x80\x99s delays in staffing, (3) challenges\n      Lockheed Martin encountered in integrating COTS software\n      programs to work together as a system, and (4) FBI\n      problems in assessing the project\xe2\x80\x99s progress against the\n      approved schedule.\n\n      With regard to deliverables, Phase 1 did not deliver all the\n      commonly understood foundational components of a\n      service-oriented architecture (a concept that we found to\n      be ill-defined), but did deliver the enterprise service bus\n      component that was appropriate for the first phase of the\n      project. 31 Phase I did not cleanse the data in the\n      electronic case file module of ACS as originally proposed\n      because the FBI said it would be more efficient to do so in\n      Phase 2 of the Sentinel project. Also, the web-based\n      portal developed in Phase 1 did not include the full range\n      of functionality originally anticipated.\n\n      Further, as a result of a series of contract modifications,\n      the cost of Phase 1 exceeded the amount originally\n      budgeted for Lockheed Martin although the overall contract\n      value of $305 million did not change. Lockheed Martin\xe2\x80\x99s\n      costs exceeded the revised contract amount of $59.7\n      million by approximately $4.4 million. However, Lockheed\n      Martin and the FBI agreed that Lockheed Martin would only\n      be paid the amount of the revised budget, a figure that\n\n\n\n       An enterprise service bus is software \xe2\x80\x9cmiddleware\xe2\x80\x9d that connects software\n      31\n\ncomponents and allows the components to communicate with each other.\n\n                                      - 13 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n       included using the $2 million budgeted for award fees. 32\n       Other factors such as the transfer of requirements to later\n       phases of the project, not tying all deliverables to the\n       requirements, and transferring costs from Lockheed\n       Martin\xe2\x80\x99s budget to the PMO\xe2\x80\x99s budget suggest that the cost\n       of Sentinel ultimately may be higher than originally\n       anticipated.\n\nSchedule Delay\n\n      The FBI and Lockheed Martin established April 19, 2007, as the\ncompletion date for Phase 1 during the Initial Baseline Review (IBR) in\nMay 2006. 33 During the IBR, held about 2 months after the contract\naward, the FBI and Lockheed Martin agreed to a schedule for Phase 1,\nincluding all the program-level reviews and life cycle management\nreviews.\n\n      By September 2006, the time the Critical Design Review was\noriginally scheduled to be performed, Lockheed Martin\xe2\x80\x99s performance\ndeviated from the schedule to such a degree that the FBI directed\nLockheed Martin to postpone the Critical Design Review until October\n2006. Specifically, several principal design documents prepared by\nLockheed Martin were returned by the PMO without comment because\nthe documents were insufficient.\n\n       Despite concerns about the completeness of these key design\ndocuments, the FBI allowed Phase 1 to pass the Final Design Review in\nOctober 2006. At that time, PMO officials told Lockheed Martin that its\nschedule for the remaining work was not feasible and directed\nLockheed Martin to replan the schedule for the remainder of Phase 1.\nLockheed Martin reconsidered the schedule for the remaining work,\nincluding the approach to the remaining tasks, the linkage between\nthe remaining tasks, and whether additional resources could shorten\nthe length of time needed to complete the remaining tasks. Lockheed\nMartin then provided a revised schedule to the FBI. The FBI approved\nthe revised Lockheed Martin schedule, and that schedule remained in\neffect until March 2007 when the FBI and Lockheed Martin jointly\ndecided that Lockheed Martin would not be able to resolve all of the\n\n       32\n           Lockheed Martin did not receive the award fee. Instead, the FBI allowed it\nto transfer the $2 million budgeted for the award fee to the cost portion of the\nbudget.\n       33\n           See Appendix 3 for an explanation of the management reviews of the\nproject discussed throughout this report.\n                                        - 14 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\ndeficiencies identified during testing in time to meet the Delivery\nAcceptance Review scheduled for April 19, 2007. A discussion on the\nreasons for the delays follows.\n\nCauses for Delay\n\n      Our audit found the following four primary causes for the delay\nin the delivery of Phase 1: (1) an unrealistic schedule, (2) delays by\nLockheed Martin in fully staffing the project with appropriately\nexperienced personnel, (3) challenges in integrating the various COTS\nsoftware components to work as a system, and (4) a progress\nreporting schedule that did not allow the FBI to assess the schedule\nimpact of changes proposed by Lockheed during the course of Phase 1.\n\nUnrealistic Schedule\n\n      Prior to formally soliciting proposals for Sentinel, the FBI created\na notional schedule that broke the project into four phases, identified\ndeliverables for each phase, and provided an estimated timeline for\neach phase. Various documents outline the FBI\xe2\x80\x99s concept for\nSentinel\xe2\x80\x99s development schedule, including the following timeline.\n\n\n\n\n                                  - 15 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n\n\nSource: The FBI\n\n       While the Sentinel Acquisition Plan clearly stated that potential\nvendors were free to submit proposals with a different number of\nphases or suggest changes to the deliverables identified in each phase,\nvendors\xe2\x80\x99 proposals had to meet the FBI\xe2\x80\x99s overall deadline of\ncompletion by December 2009. PMO personnel said that Lockheed\nMartin\xe2\x80\x99s proposal closely aligned with the FBI\xe2\x80\x99s notional schedule in an\neffort to win the FBI\xe2\x80\x99s business. The PMO personnel also stated that\nLockheed Martin\xe2\x80\x99s proposal was completed before it familiarized itself\nwith ACS and that instead of basing the Phase 1 schedule on the FBI\xe2\x80\x99s\nnotional concept of the project, Lockheed Martin should have based\nthe schedule on its own estimates of the time required to achieve the\ntasks contained in Phase 1.\n\n      In addition to broad outlines of the project\xe2\x80\x99s overall schedule,\nthe FBI also dictated certain project milestones. For example,\n                                  - 16 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nSentinel\xe2\x80\x99s Statement of Work specified the timing of the Contract\nImplementation Review, the Requirements Clarification Review, and\nthe IBR. All three of these reviews, described in Appendix 3, were to\noccur within 60 days of the March 16, 2006, contract award date for\nSentinel. Meeting the schedule specified in the Statement of Work\nwould have required that Lockheed Martin staff the Sentinel project\nshortly after receiving the contract. The Sentinel Program Manager\ntold us that, in retrospect, the timeframes in the Statement of Work\nwere overly aggressive because they did not allow Lockheed Martin\nenough time to staff the project.\n\nDelays in Staffing\n\n      In addition to the aggressive schedule, which gave Lockheed\nMartin little time to properly staff the Sentinel project, other factors\nfurther delayed Lockheed Martin from properly staffing the project. A\nhigh demand for personnel with current top secret clearances in the\nWashington, D.C., area also affected the staffing of the project, as did\nLockheed Martin\xe2\x80\x99s underestimation of the level of experience with\nCOTS integration that its personnel needed to have. These issues\ncontributed to both delays in staffing and also higher-than-expected\npersonnel costs.\n\n      Almost immediately following the contract award, Lockheed\nMartin fell behind in its projected staffing levels. For example, by May\n2006, less than 2 months into the contract, Lockheed Martin\xe2\x80\x99s\nspending on personnel according to EVM data was $476,000 less than\nexpected primarily because the project had yet to be fully staffed.\nAccording to the FBI, the costs for qualified personnel with top secret\nclearances were 25 to 40 percent higher than the cost Lockheed Martin\nprojected due to a limited supply of qualified personnel with top secret\nclearances. The FBI said that shortly after the Sentinel contract was\nawarded, the Defense Security Service, the organization responsible\nfor performing background investigations and granting clearances,\nsuspended its processing of clearances for all government contractors\nfor 6 months in an effort to clear its backlog of requests for such\nclearances. As a result of the suspension, the supply of cleared\ncontractor personnel, which was already insufficient to meet demand,\ndwindled even more. While Lockheed Martin had fewer staff than\nplanned, it had to pay each individual more than expected.\n\n      In addition, Lockheed Martin and the FBI also underestimated\nthe level of COTS integration experience that personnel would need for\nthe Sentinel project. In a January 2007 briefing to the FBI\xe2\x80\x99s Associate\n                                  - 17 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\nDeputy Director, the Sentinel Program Manager said that both the FBI\nand Lockheed Martin based their original personnel cost estimates on\nthe assumption that most of the development work could be\ncompleted by recent college graduates, an approach Lockheed Martin\nhad successfully used on a large scale information technology project\nat the Social Security Administration. Several PMO and FBI Chief\nInformation Office personnel said that throughout Phase 1 of Sentinel,\nthe level of expertise required of the Lockheed Martin staff to deal with\nSentinel\xe2\x80\x99s COTS software was not sufficient for the project, although\nthey said that Lockheed Martin eventually added the required\nexpertise. FBI officials said the quality of the Lockheed Martin staff\nhad improved during the first phase, but that additional improvements\nneed to be made if the subsequent phases of the project are going to\nbe successful. Others said that Lockheed Martin should have\nconsidered contracting with the software manufacturers who\ndeveloped the most challenging pieces of software to help with\nimplementation.\n\n      According to FBI officials, both the FBI and Lockheed Martin\nrecognize that they underestimated the level of expertise necessary to\nwork on the interface with ACS and integrate the COTS software\nproducts which make up Sentinel and a service-oriented architecture\n(explained in more detail later in this report). According to the FBI, at\nthe time of contract award the division of Lockheed Martin awarded\nthe Sentinel contract had a limited personnel pool from which to draw,\nand it was not successful in hiring the additional personnel needed in a\ntimely manner. As a result, Lockheed Martin relied more heavily on\nsubcontractors than anticipated and transferred personnel from within\nother parts of the company.\n\nCOTS Integration\n\n       Several PMO officials, including the Sentinel Program Manager\nand Lockheed Martin\xe2\x80\x99s Deputy Program Manager, stated that\nintegrating the various software modules that comprise Phase 1 into a\nunified system was a major challenge in Phase 1. Several variables\naffect how a given piece of software will perform, including: the\nhardware that the software is running on, the settings for that\nhardware, the settings for the software itself, and the addition of other\nsoftware on the system and the settings of that software. According to\nPMO personnel, many of the individual software products can be\nconfigured in hundreds of different ways. As a result, there are\nhundreds of potential issues that can occur when integrating different\npieces of software into a system. Consequently, identifying why a\n                                  - 18 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nparticular problem occurred within an integrated system is difficult due\nto the number of variables impacting the system.\n\n       The Lockheed Martin Deputy Program Manager said that while\nsoftware and hardware manufacturers\xe2\x80\x99 literature, demonstrations, and\ntrade studies provide information about the functionality of their\nproducts, hands-on experience is necessary to determine if the general\ncapabilities of a particular COTS product can be configured to\nimplement the specific functions required by a particular customer.\nAccording to the Deputy Program Manager, it is virtually impossible to\ncomplete a design involving COTS products without hands-on\nexperience with the product and its interfaces. Risk factors for COTS\nintegration include the number of COTS components, the number of\ninterfaces, the complexity of the interfaces, and the amount of\nknowledge and experience the integrator has with the product.\nBecause Sentinel is using multiple software programs, and more than\none software product may be capable of performing a particular\nfunction, Lockheed Martin had to decide which product to use based on\nthe advantages and disadvantages of each choice. Most COTS\nproducts are complex enough that some amount of manufacturer\nsupport is required to use the product efficiently.\n\n       Several of these factors appear to have had an impact on\nSentinel development during Phase 1 of the project. As discussed\npreviously, Lockheed Martin did not have staff assigned to the project\nwith significant expertise in the software components being used to\nbuild Sentinel. Also, the major COTS software manufacturers were not\nofficial Lockheed Martin subcontractors, so their input was not sought\nin the design phase of the project. Once Sentinel encountered\nproblems, obtaining support from the software manufacturers was\ntime-consuming.\n\n      Two other factors compounded the general challenge of COTS\nintegration. First, according to the FBI CIO the FBI is using the latest\nsoftware and technologies in developing Sentinel, and therefore some\nof the software has bugs that had not previously been identified by the\nmanufacturer. In at least one case, the developer of the software was\nnot aware of the bug until being notified by the FBI and Lockheed\nMartin. Because this was a new bug, the manufacturer had to\nresearch the cause and develop a solution before Lockheed could\nimplement the patch to the software. Second, Lockheed Martin did not\ndevelop a COTS integration strategy to describe what approach it\nwould take to overcome the compatibility issues of Sentinel\xe2\x80\x99s various\n\n                                 - 19 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\ncomponents. 34 The Sentinel architect and the independent verification\nand validation (IV&V) team both cited the lack of an integration\nstrategy as a primary reason for the integration problems Lockheed\nMartin faced during Phase 1. 35\n\nAssessing Progress\n\n       Sentinel PMO personnel said that the methodology used by\nLockheed Martin to construct the Sentinel project\xe2\x80\x99s schedule made it\ndifficult to assess the progress of the project. Specifically, they said\nthe schedule: (1) overused \xe2\x80\x9chard constraints\xe2\x80\x9d, (2) contained logic\nproblems, (3) was not updated accurately, and (4) contained a high\npercentage of \xe2\x80\x9clevel-of-effort\xe2\x80\x9d tasks.\n\n       Hard Constraints\n\n      Lockheed Martin utilized project management software that\nincluded a program to establish the project\xe2\x80\x99s schedule. Within the\nschedule, timeframes were set for the completion of specific tasks, and\nthese tasks were entered into the schedule as \xe2\x80\x9chard constraints.\xe2\x80\x9d\nHard constraints are dates entered into a schedule that require a task\nto begin or end on a specific date, regardless of any other activity with\nthe schedule. Additionally, if a hard constraint is entered into the\nschedule for a task, the schedule\xe2\x80\x99s software will assume that the task\nmet the constraint, regardless of whether or not it did. For example, if\na task had a hard constraint to be completed by December 1, 2006,\nunless the date was updated the project software would assume that\nthe task was completed by that date, regardless of the actual progress\non the task. Also, if a task has a fixed end date entered into the\nscheduling software and the task is not actually completed by that\ndate, all of the subsequent phases will not be delayed within the\nschedule and the completion date for the whole project will not be\nmoved back. Because of this, hard constraints cloud an assessment of\nthe impact of schedule slippages on the project end date.\n\n\n\n       34\n          In general, the strategies for integrating COTS components include\nadjusting the standard configuration settings of the system\xe2\x80\x99s components, modifying\nthe system\xe2\x80\x99s components, replacing problematic components, and adding additional\ncomponents.\n       35\n           In September 2006, the FBI obtained the services of Booz Allen Hamilton\nto perform the IV&V function for the Sentinel project. See Finding 2 for a more\ndetailed discussion of IV&V.\n                                       - 20 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n      While the Sentinel Deputy Program Manager stated that hard\nconstraints are helpful in creating a sense of urgency about completing\na task, we found that using a large number of hard constraints limited\nthe FBI\xe2\x80\x99s ability to assess the progress being made on the Sentinel\nproject. Several PMO personnel attributed the overuse of hard\nconstraints to Lockheed Martin\xe2\x80\x99s problems hiring and retaining an\nexperienced scheduler, an issue they now believe Lockheed Martin has\nresolved. At the PMO\xe2\x80\x99s request, Lockheed Martin has removed many\nof the hard constraints from the Sentinel development schedule.\n\n      Logic Problems\n\n      PMO officials also cited problems with some of the logic of\nLockheed Martin\xe2\x80\x99s schedule. Specifically, they said Lockheed Martin\xe2\x80\x99s\nschedule did not always accurately reflect the interdependence\nbetween tasks and linked some tasks that were not interdependent\nwhile failing to link others that were.\n\n      Schedule Updates\n\n       Assessing the project\xe2\x80\x99s progress was also difficult because\nLockheed Martin did not accurately update the schedule as required.\nSentinel PMO personnel said a task\xe2\x80\x99s reported rate of completion\nappeared to be based on Lockheed Martin management\xe2\x80\x99s assessment\nof what it thought the FBI wanted to hear, rather than an actual\nassessment of the percentage of the task completed. Two IV&V\nreports confirmed problems with Lockheed Martin\xe2\x80\x99s maintenance of the\nschedule, including that the schedule was not updated to reflect\nactivities that occurred in the most recent reporting period and\ninaccurate reporting on the percentage of completion of tasks.\nSpecifically, the IV&V team found that various tasks would be 99\npercent complete for more than one reporting period, allowing\nLockheed Martin to claim all but 1 percent of the cost of a task but not\nclaim that the task was completed.\n\n      Level-of-Effort Tasks\n\n      An FBI policy on EVM issued by the FBI CIO in March 2006\nrecognizes that some portion of the development of IT systems will be\ncharacterized as level-of-effort, meaning that progress toward the\ncompletion of a task is measured by time spent on the task rather\nthan progress toward completing the task. Tasks that do not have a\ndefined deliverable, such as project management, are often measured\nusing level of effort. However, because level-of-effort tasks are not\n                                 - 21 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\ntied to a deliverable, it is difficult to determine how much their\ncompletion contributes to the overall progress of a project. Therefore,\nin IT development projects like Sentinel it is prudent to have a\nschedule with as few level-of-effort tasks as possible. Recognizing\nthis, the FBI\xe2\x80\x99s EVM policy requires a project to receive approval from\nthe Chief of the Project Assurance Unit when planned level-of-effort\ntasks exceed 15 percent of the total work hours for a project. The\nFBI\xe2\x80\x99s Project Assurance Unit denied the PMO\xe2\x80\x99s request to exceed the\n15 percent threshold for Sentinel. However, the PMO appealed the\ndenial to the FBI\xe2\x80\x99s CIO and received his approval for the planned level-\nof-effort hours. As shown in the graph below, for every month since\nthe IBR the actual percentage of level-of-effort tasks exceeded the 15\npercent threshold established by the FBI. With the exception of July\n2006 through October 2006, the budgeted amount of level-of-effort\ntasks also exceeded 15 percent of the budgeted hours. A high level of\nboth budgeted and actual level-of-effort tasks makes it difficult to\naccurately assess the progress of a project toward meeting its goals.\n\n   Level\xe2\x80\x93of-Effort Tasks as a Percentage of Total Work Hours\n                 June 2006 through April 2007\n\n\n       70.0%\n       60.0%\n       50.0%\n       40.0%                                            Budgeted\n                                                        Actual\n       30.0%\n                                                        EVM Policy\n       20.0%\n       10.0%\n        0.0%\n           S E - 06\n\n\n\n\n           D - 06\n\n\n\n\n           AP -0 7\n           N - 06\n           J U 06\n\n\n\n\n                   7\n           F E 07\n           J A 06\n\n\n           M 07\n           A U 06\n\n\n\n           O 06\n\n\n\n\n                -0\n                 -\n\n\n\n\n              N-\n                -\n\n\n               B-\n               L-\n\n\n              P-\n\n\n\n               V\n               G\n\n\n\n\n               R\n               T\n               N\n\n\n\n\n              R\n            EC\n             C\n             O\n          JU\n\n\n\n\n             A\n\n\n\n\n      Source: FBI data\n\n      As Phase 1 progressed, the percentage of hours budgeted for\nlevel-of-effort tasks increased. The following graph shows the increase\nin level-of-effort hours budgeted for June 2006 through April 2007 at\nthe IBR to the hours budgeted in the Phase 1 budget as of March\n2007.\n\n\n                                 - 22 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                                     REDACTED FOR PUBLIC RELEASE\n\n\n                           Hours Budgeted for Level-of-Effort Tasks\n                             June 2006 Plan vs. March 2007 Plan\n\n\n                         30,000\n\n                         25,000\n        Hours Budgeted\n\n\n                         20,000\n                                                                                   June 2006 Plan\n                         15,000\n                                                                                   March 2007 Plan\n                         10,000\n\n                          5,000\n\n                             0\n                                           6\n\n                                                   06\n                                  6\n\n\n\n\n                                                                               7\n                                                             6\n\n                                                                      07\n                                          -0\n                                -0\n\n\n\n\n                                                                            -0\n                                                            -0\n                                                   T-\n\n\n\n\n                                                                  B-\n                                      G\n                             N\n\n\n\n\n                                                                           R\n                                                        EC\n                                               C\n                           JU\n\n                                     AU\n\n\n\n\n                                                                 FE\n\n                                                                       AP\n                                               O\n\n                                                        D\n\n\n\n\n      Source: FBI data\n\n       As of April 2007, spending on level\xe2\x80\x93of-effort tasks accounted for\n27 percent of the total Phase 1 budget. An FBI analysis of the\nincrease in spending on level-of-effort tasks concluded that most of\nthe increase resulted from higher than expected spending on program\nmanagement costs. This, in turn, resulted from higher than expected\nstaffing and labor costs.\n\nTight Schedule Affected Implementation of LCMD Processes\n\n       In attempting to meet the Phase 1 schedule, the FBI took risks\nthat affected the quality of some of the Phase 1 deliverables and may\nhave contributed to the schedule delays. Specifically, the FBI allowed\nLockheed Martin to begin building Phase 1 before the design\ndocumentation was complete, contributing to some of the problems\nencountered in the testing of Phase 1. The FBI also allowed Phase 1 to\nprogress to the next stage of testing before correcting all critical\ndeficiencies identified in previous stages of testing.\n\nIncomplete Design\n\n      In October 2006, the Sentinel PMO allowed Phase 1 to pass\nthrough the Critical Design Review despite hundreds of unaddressed\nFBI comments on the System Design Document and the Interface\nDesign Document, key design documents that provide programmers\nwith the specifics required to build a system to a customer\xe2\x80\x99s\n                                                                  - 23 -\n\n                                     REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nspecifications. Both the System Design Document and the Interface\nDesign Document are supposed to be finalized and approved during\nthe Critical Design Review.\n\n       The PMO knew of these documents\xe2\x80\x99 shortcomings at the time of\nthe Critical Design Review. Lockheed Martin had submitted both\ndocuments to the PMO 3 weeks before the Critical Design Review to\nallow the FBI time to review and comment on the documents. The\nFBI\xe2\x80\x99s review concluded that the documents did not meet standards for\ncontent, completeness, consistency, and quality, and returned the\ndocuments to Lockheed Martin for additional work. The FBI directed\nLockheed Martin to resubmit the documents and advised Lockheed\nMartin that it would require 2 weeks to provide formal written\ncomments on the revised plans. Lockheed Martin resubmitted the\ndocuments on October 4, 2006, 1 day before the Critical Design\nReview. As agreed, the FBI did not complete its formal review of the\ndocuments until October 18, 2006, 2 weeks after they had been\nresubmitted. However, the FBI and Lockheed Martin still held the\nCritical Design Review on October 5-6, 2006, during which time the\nPMO concluded that Lockheed Martin\xe2\x80\x99s design documentation was\nsufficient to ensure that the design presented could be produced and\nwhen built would meet the design specification.\n\n       Similarly, the Technical Review Board \xe2\x80\x93 part of the FBI\xe2\x80\x99s Life\nCycle Management process described in Appendix 3 \xe2\x80\x93 concluded that\nthe system design was not complete or well documented. However, at\nSentinel\xe2\x80\x99s Final Design Review in October 2006, the Board granted the\nPMO conditional approval to proceed with the project but required that\nsix technical issues be addressed, such as the need to provide details\non the number of modules and design details. The Board\xe2\x80\x99s approval\nauthorized the development of Phase 1 of the project, while also\nrequiring that the deficiencies found in the design documents be\naddressed. Of the six conditions the Board cited, four had not been\nresolved as of April 2007, including three that concerned design\ndocuments.\n\n       While a temporary delay would have occurred if the FBI required\nSentinel\xe2\x80\x99s design to be completed before development began, the time\ninvested during the delay may have shortened the actual time spent\non Phase 1. An April 2007 IV&V report stated that \xe2\x80\x9cHistorically, most\ndeficiencies occurred around the display of information to the Personal\nand Squad Workbox; prototyping and a complete System Design\nDocument and Interface Design Document would have avoided many\nof these deficiencies.\xe2\x80\x9d\n                                 - 24 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\nTesting\n\n       In an apparent effort to keep Sentinel on schedule, the PMO\ndeviated from sound project management and Sentinel\xe2\x80\x99s Test\nEvaluation Master Plan. The PMO allowed Phase 1 to pass through two\nprogram level reviews \xe2\x80\x93 the Product Test Readiness Review and the\nSite Test Readiness Review \xe2\x80\x93 without resolving all high priority\ndeficiency reports as required by the Test and Evaluation Master\nPlan. 36 The IV&V contractor was repeatedly critical of Sentinel\xe2\x80\x99s\ntesting and expressed concern about the impact the testing\nmodifications would have on the stability of the system as it moved\nforward.\n\n       While we believe that adherence to schedule goals is desirable,\nthe risk of project failure appreciably rises if corners are cut and there\nis not adequate quantitative data to assess the risks to the project of\nnot implementing disciplined processes in critical areas. Ineffective\nimplementation of these processes exposes a project to the\nunnecessary risk that costly reworks could be required, which in turn\nwould adversely affect the project\xe2\x80\x99s cost and schedule and can\nadversely affect the ultimate performance of the system. Effective\nproject management requires quantitative data or metrics to assess\nwhether a project plan needs to be adjusted and to determine what\noversight actions may be needed to ensure that the project meets its\nstated goals and complies with agency guidance.\n\nLockheed Martin\xe2\x80\x99s Cost Performance\n\n        The cost of the contract awarded to Lockheed Martin to develop\nSentinel is about 72 percent of the total Sentinel budget. 37 Therefore,\nLockheed Martin\xe2\x80\x99s ability to deliver its portion of Sentinel within budget\nis critical to the cost performance of the overall project. As the result\nof a series of contract modifications, the value of Lockheed Martin\xe2\x80\x99s\ntask order for Phase 1 increased from $57.2 million at the time of the\nintegrated baseline review (IBR) to $59.7 million in March 2007.\nHowever, in June 2007 Lockheed Martin advised the FBI that it had\nincurred costs totaling $64.1 million in the performance of Phase 1.\nLockheed Martin attributed the cost overruns to unanticipated work in\n\n\n\n       36\n          A deficiency report documents a problem identified in testing and the\nresolution of the problem.\n       37\n            The remaining 28 percent of Sentinel\xe2\x80\x99s budget funds the PMO.\n                                         - 25 -\n\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\ninterfacing with existing FBI computer systems and modifications to\nthe FBI\xe2\x80\x99s testing approach.\n\n       Specifically, Lockheed Martin said the documentation and\nfunctionality of the FBI\xe2\x80\x99s Web-enabled Automated Case Support\n(WACS), Phoenix, and ACS systems differed from the descriptions\nprovided in the FBI\xe2\x80\x99s Request for Proposals. 38 As a result, Lockheed\nMartin was not able to reuse portions of the WACS, Phoenix, or ACS\nportal interfaces, as it previously assumed it could. Consequently,\nLockheed Martin had to develop extensive amounts of new code to\nprovide the functionality it believed it was going to be able to reuse\nfrom these existing systems. In addition, Lockheed Martin said it had\nto develop an interface control document for ACS. Lockheed Martin\nestimates that these two issues required 7 weeks of additional effort\nand cost approximately $3.4 million. The Sentinel Program Manager\nagreed that the ACS interface control document was not sufficient for\nLockheed Martin to do its work, and that the development of a\nsatisfactory interface control document added several weeks to the\nschedule.\n\n       Lockheed Martin said that changes to the FBI\xe2\x80\x99s testing approach\nduring Site Acceptance Testing and User Acceptance Testing also\nresulted in schedule delays and increased costs. 39 Specifically, the\nFBI\xe2\x80\x99s decisions requiring the closure of all high-priority defects prior to\nthe start of Site Acceptance Testing, increasing the scope of Site\nAcceptance Testing, adding unofficial User Acceptance Testing, and\npiloting the system before full deployment cost an additional 3 weeks\nand $1 million for Phase 1. FBI officials told us there was no change in\nthe testing requirements, but to ensure that the system met the FBI\xe2\x80\x99s\nspecifications, supplementary testing was added after the system\nfailed initial tests.\n\n\n\n\n       38\n          Web-Enabled Automated Case Support (WACS) is ACS updated with access\nthrough a web portal. Phoenix is the second generation of WACS intended to access\nACS through mini-programs specifically written to run within Web browsers.\n       39\n           In general, testing ensures the system satisfies FBI requirements for utility\nand performance. Site Acceptance Testing executes a complete set of test\nprocedures on the software that has actually been delivered from the contractor to\nthe FBI and installed in order to insure consistency and functionality in the operation\nof the software. The purpose of User Acceptance Testing is to gain end users\xe2\x80\x99\nacceptance of Sentinel.\n                                          - 26 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n      In June 2007, the FBI and Lockheed Martin agreed that\nLockheed Martin would absorb approximately $4.4 million in costs it\nincurred in excess of the agreed-upon contract amount and that\n$2 million budgeted for award fees would be used to reimburse\nLockheed Martin for costs incurred during the development of Phase 1.\n\n      We found that three factors obscured a precise accounting of\nLockheed Martin\xe2\x80\x99s cost performance, which we describe below. First,\neven though the FBI transferred some Phase 1 requirements to later\nphases of the project, it received cost reductions on Phase 1 from\nLockheed Martin for deferring completion of these requirements.\nSecond, the FBI did not adequately define all of the Phase 1\ndeliverables and did not tie all of the deliverables to the requirements\nagreed upon for Phase 1. Third, the FBI transferred $2.5 million in\nmaterials and services from Lockheed Martin\xe2\x80\x99s budget to the PMO\xe2\x80\x99s\nbudget.\n\nDeferred Requirements\n\n      Over the course of Phase 1, the FBI deferred a total of 57 high-\nand low-level requirements from Phase 1 to later phases. As a result\nof these deferrals, Lockheed Martin was required to deliver less\nfunctionality in Phase 1 than agreed upon at the time the project\nbudget was established. However, the FBI did not require Lockheed\nMartin to determine the decrease in the amount of time and materials\nrequired for Phase 1 resulting from these deferrals, and none of these\ndeferrals resulted in a decrease in the cost of Phase 1.\n\n      The majority of these requirements addressed user interface or\nsecurity capabilities. For example, the capability to display a list of\nleads that a squad had completed in accordance with current ACS\nscreens was deferred to Phase 2. 40 Other areas addressed by the\ndeferred requirements include the system\xe2\x80\x99s ability to format, sort, and\nsearch data.\n\n\n\n\n       40\n          FBI field offices are divided into squads that have specific subject matter\nresponsibilities such as drug trafficking or counterterrorism. A Supervisory Special\nAgent manages each squad and supervises the personnel assigned to the squad.\n                                          - 27 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n          Phase 1 Requirements Deferred to Later Phases\n\n Requirement       Number of           Example of Deferred Requirement\n    Area          Requirements\n                    Deferred\n    Reports             3          Display the number of copies, printer, case\n                                   identification, document types, activity dates,\n                                   user name and identification, and sort option\n                                   when printing Case Document Inventory\n                                   Reports.\n\n    Search               2         Perform unstructured searches against items\n                                   collected during investigations.\n\n    Security             22        Display restricted items with identification\n                                   information (e.g., serial, case identification,\n                                   case owner) in search results or reports for\n                                   users who do not have permission to view the\n                                   item. All other record information shall be\n                                   displayed as "Xs".\n\n User Interface          30        Display a list of covered leads for a squad.\nSource: OIG analysis of FBI data\n\n      According to the FBI, it deferred most of the 57 requirements\nbecause it decided the requirement was outside of the scope of Phase\n1, did not add value to Phase 1, would require the modification of ACS,\nor would duplicate a capability included in a future phase of Sentinel.\nFBI officials said they did not believe it was prudent to invest in\nupgrading ACS because Sentinel is intended to replace it. We\nrecognize that phased projects using COTS components often transfer\nrequirements from one phase to another and, in general, we do not\ndisagree with the FBI\xe2\x80\x99s transfer of the requirements to later phases.\nHowever, we are concerned that the FBI did not require Lockheed\nMartin to determine the financial impact of deferring this work in Phase\n1 and adjust the cost of Phase 1 accordingly.\n\nPhase 1 Deliverables\n\n       Throughout the Sentinel project, FBI documents, including slides\nfrom weekly briefings to the FBI Director, have shown four major\nanticipated deliverables for Phase 1: (1) a web-based portal to ACS,\n(2) a case workbox, (3) the foundational components of a service-\norientated architecture, and (4) data cleansing of the electronic case\nfile (ECF) portion of ACS. As implemented, Phase 1 delivered the key\nACS portal and case workbox. Phase 1 also delivered the one\ncomponent of the ill-defined foundational components of a service-\n                                    - 28 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\noriented architecture that was appropriate for that phase, but did not\nprovide the data cleansing of the ECF portion of ACS. 41 As Sentinel\nprogressed through the life cycle management process, the FBI\xe2\x80\x99s\ninternal technical reports noted this divergence from the original set of\ndeliverables. For example, a technical report issued as part of the\ndesign review process noted that \xe2\x80\x9cThe analysis is based on the ability\nof the project to meet the SENTINEL Phase 1 goals. Initially, Phase 1\nwas to include foundational components of a service-oriented\narchitecture and ECF Data Cleansing. These two initiatives were\npushed beyond Phase 1 and are not germane to this analysis.\xe2\x80\x9d Neither\nthe foundational components of a service-oriented architecture nor the\ndata cleansing of ECF data were specified in the requirements for\nPhase 1, so the deferral of these goals did not require the deferral of\nrequirements. However, achieving both of these goals may potentially\nrequire significant financial and personnel resources. And as\nmentioned previously, deferral of these goals did not result in a\ncorresponding decrease in the Phase 1 contract amount.\n\n      In June 2006, the FBI and Lockheed Martin held an IBR for\nPhase 1 of Sentinel. One of the goals of an IBR is to agree on the\nscope of work. 42 At the IBR, Lockheed Martin identified the following\nthree major goals for Phase 1.\n\n       \xe2\x80\xa2    Portal \xe2\x80\x93 a single web-based user interface to the system\n            providing access to ACS functionality, a case \xe2\x80\x9cworkbox\xe2\x80\x9d that\n            summarizes a user\xe2\x80\x99s workload, enhanced search capabilities\n            including saved queries, and a single sign-on within Sentinel.\n\n       \xe2\x80\xa2    ACS ECF Data Cleansing \xe2\x80\x93 prepare the ECF portion of ACS\n            data to be transferred to Sentinel in Phase 2.\n\n       \xe2\x80\xa2    Service-oriented Architecture/Enterprise Service Bus \xe2\x80\x93\n            provide the governance of the service-oriented architecture\n            and web services, and preliminary public key infrastructure\n            (PKI) services for Sentinel system administrator login. 43\n\n\n       41\n          See page 34 for a discussion of the common components of a service-\noriented architecture.\n       42\n          See the Introduction to this report for a more detailed discussion of the\ngoals of an IBR.\n       43\n         Service-oriented architecture governance is the policies and controls used\nto manage any changes to a service-oriented architecture. PKI is a system of\n                                       - 29 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nSentinel Portal\n\n      Phase 1 of Sentinel delivered a web-based user interface to ACS\ndata, giving a much more modern look and feel to ACS data and\nallowing users to navigate through the system using a mouse.\nHowever, the portal will not allow users to perform all of the functions\nin the three modules that make up ACS: ECF, Investigative Case\nManagement (ICM), and Universal Index (UNI). Because many of the\nfunctions now performed by ACS will be performed by Sentinel starting\nin Phase 2, the web portal to ACS will be useful only until the\ncompletion of Phase 2. As a result, the FBI did not believe that\nduplicating all of ACS was cost effective and chose to include only the\nmost frequently used functions in the Phase 1 portal. The table below\nsummarizes the number of functions included in the Phase 1 portal\nand compares the ACS, the web-enabled ACS (WACS), and Phoenix.\n\n                        XXXXXXXXXXXXXXXXXXX\n\n XXXXXXX          XXXXXXX          XXXXXXX          XXXXXXX         XXXXXXX\n                   xxxxx\n     xxx            xxx                xxx              xxx              xxx\n     xxx            xxx                xxx              xxx              xxx\n     xxx            xxx                xxx              xxx              xxx\n    xxxxx           xxx                xxx              xxx              xxx\n\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n\n      Because some functionality can be found only in ACS, such as\nthe uploading of documents, FBI personnel will have to continue to use\nACS while Sentinel is being developed. Appendix 5 lists the\nfunctionality found in WACS, Phoenix, and Sentinel Phase 1. For those\nfunctions not available in any of these three systems, users will have\nto continue using ACS until the functions are available in a later phase\nof Sentinel. According to the Sentinel Program Manager, the FBI\nrecognizes that some critical functions, such as uploading documents,\nare currently available only in ACS and those functions need to be\nintegrated into Sentinel as soon as possible. As part of Phase 2, the\nFBI plans to enhance Phase 1 to allow users to upload documents.\n\n\n\n\ncomputers, software, and data that relies on cryptography to provide some aspects\nof computer security.\n                                        - 30 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nData Cleansing\n\n      Before Sentinel is completed, 23 million ACS records must be\ntransferred from ACS to Sentinel. The IDP does not include any data\ncleansing or data migration capabilities for Phase 1. Rather, the IDP\nstates \xe2\x80\x9cThere are no specific requirements for migration of case data in\nPhase 1.\xe2\x80\x9d However, Lockheed Martin\xe2\x80\x99s proposal included data\ncleansing of ECF data as part of Phase 1 in preparation for the data\xe2\x80\x99s\ntransfer, or migration, to the Sentinel database in Phase 2. As a\nresult, the FBI added this capability to its description of the Phase 1\ncapabilities.\n\n       Specifically, Lockheed Martin\xe2\x80\x99s proposal described the overall\ndata migration effort as consisting of two basic steps: (1) data\ncleansing, and (2) data migration. The data cleansing approach\ndescribed in Lockheed Martin\xe2\x80\x99s proposal yields an Error Assessment\nReport, which documents all of the data errors found in a system.\nThese errors are then used to build data transformation rules, which\nimprove the quality of legacy data before the data is migrated to the\nsystem being built. The FBI agreed to Lockheed Martin\xe2\x80\x99s data\ncleansing approach at the IBR, and the proposed scope of the data\ncleansing efforts were built into the integrated master schedule.\nHowever, further analysis and coordination with FBI headquarters\ndivisions responsible for ACS and data security led to the conclusion\nthat the full scope of Lockheed Martin\xe2\x80\x99s proposed data cleansing effort\ncould not be implemented in Phase 1 and that the actual data\ncleansing would have to be deferred to a later phase.\n\n      FBI personnel told us that the FBI deferred data cleansing until\nPhase 2 because of technical concerns the FBI had with cleansing data\nin advance of migrating it. Specifically, the FBI was concerned that\nsynchronizing the cleansed data with the actual ACS records at the\ntime of migration would be difficult. Since the FBI would continue to\nadd and modify data between the time of the data cleansing and the\ntime the data would be migrated to Sentinel, the two sets of data\nwould be different and resolving those differences presents significant\nchallenges. FBI officials also had concerns about where, or within\nwhat system, to store the large volume of data in the interim between\ncleansing and migration.\n\n      The final Data Migration Plan described the Phase 1 data\ncleansing efforts as testing and prototyping only. The goals of the\nPhase 1 data cleansing efforts are described below.\n\n                                 - 31 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n     \xe2\x80\xa2   Complete installation, configuration, and testing of the Phase\n         1 data migration environment in the FBI\xe2\x80\x99s testing and quality\n         assurance environments.\n\n     \xe2\x80\xa2   Complete performance benchmarking of ACS data access\n         using the FBI\xe2\x80\x99s testing and quality assurance environments.\n\n     \xe2\x80\xa2   Complete testing, integration, and validation of COTS\n         products using the FBI\xe2\x80\x99s testing and quality assurance\n         environments.\n\n     \xe2\x80\xa2   Complete testing, integration, and validation of the target\n         word search filtering capabilities of two COTS products using\n         the FBI\xe2\x80\x99s testing and quality assurance environments.\n\n     \xe2\x80\xa2   Complete error assessment report generation testing using\n         the FBI\xe2\x80\x99s testing and quality assurance environments.\n\n     \xe2\x80\xa2   Initiate ECF data analysis and migration planning for Phase 2.\n\n     \xe2\x80\xa2   Initiate installation, configuration, and testing of Phase 2 data\n         migration environment in the FBI production environment.\n\n       The Data Migration Plan states that data quality assessment,\ndata migration, and data cleansing of ACS ECF production data will not\noccur until Phase 2. However, the FBI did not conduct, or have\nLockheed Martin conduct, a cost assessment of the reduction in scope\nof the Phase 1 data cleansing on Phase 1 or Phase 2. While the scope\nof the Phase 1 data cleansing activities decreased, there was no\ncorresponding decrease in the cost of Phase 1. Similarly, while some\ndata cleansing activities were deferred until Phase 2, there was not an\nincrease in the cost of Phase 2. This change of scope occurred without\na change to the Phase 1 requirements because the System\nRequirements Specifications does not contain any requirements that\nspecifically address data cleansing or migration. Therefore, there were\nno requirements allocated to Phase 1 and no requirements deferred to\nPhase 2. According to the Sentinel statement of work, \xe2\x80\x9cThe contractor\nshall perform all activities (extract, translate and error correction,\nload) necessary to migrate legacy data needed for the operation of\ncapabilities delivered in each Phase.\xe2\x80\x9d Because Lockheed Martin\xe2\x80\x99s\nproposal included ECF data cleansing in Phase 1, Lockheed Martin\n\n\n\n                                  - 32 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\neffectively created a derived requirement, one that was deferred until\nPhase 2 without any cost implications. 44\n\n      FBI officials said that while Lockheed Martin had not done any\nactual data cleansing during Phase 1, it had made substantial progress\non the data cleansing task, including configuring and testing the data\ncleansing software, setting up the data cleansing facility that will be\nused during Phase 2, and establishing data cleansing procedures to\nadjudicate the resolution of problem data.\n\nService-Oriented Architecture\n\n       A service-oriented architecture is a collection of services that\ncommunicate with each other. The communication can involve a\nsimple data exchange or two or more services coordinating on an\nactivity. Common components of a service-oriented architecture\ninclude a metadata repository, governance, a service registry, and an\nenterprise service bus, all of which are described below.\n\n      \xe2\x80\xa2    Metadata repository \xe2\x80\x93 a database of data descriptions which\n           is intended to provide consistent and reliable access to data.\n\n      \xe2\x80\xa2    Governance \xe2\x80\x93 the mechanisms and policies to control what\n           services are available via a service-oriented architecture and\n           to whom they are available.\n\n      \xe2\x80\xa2    Service Registry - the infrastructure for building, deploying,\n           and discovering services on a service-oriented architecture.\n\n      \xe2\x80\xa2    Enterprise Service Bus \xe2\x80\x93 software \xe2\x80\x9cmiddleware\xe2\x80\x9d that connects\n           software components and allows the components to\n           communicate with each other.\n\n      Of these four components, Phase 1 delivered an enterprise\nservice bus. However, none of Sentinel\xe2\x80\x99s requirements specifically\naddress the service-oriented architecture, and therefore the FBI could\nnot validate whether Lockheed Martin delivered the foundation of a\nservice-oriented architecture, one of the stated goals for Phase 1. The\nFBI\xe2\x80\x99s Incremental Development Plan (IDP), which was provided to all\npotential Sentinel bidders as a framework from which to describe the\nintent of the Sentinel program, states that Phase 1 \xe2\x80\x9cmay include an\n      44\n         A derived requirement is a requirement deduced or inferred from the\nrequirements in the statement of work.\n\n                                      - 33 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nEnterprise Service Bus (ESB) and foundation services,\xe2\x80\x9d but does not\nfurther describe what is meant by either \xe2\x80\x9cfoundation services\xe2\x80\x9d or\n\xe2\x80\x9cfoundational components.\xe2\x80\x9d According to the FBI, the definition of\n\xe2\x80\x9cfoundational components of a service-oriented architecture\xe2\x80\x9d was\nintroduced during an internal review of the Sentinel design and was\nnot specifically shared with Lockheed Martin as a goal, objective, or\nrequirement of Phase 1. The FBI said that as a result, it had no\nexpectation that Lockheed would specifically address the commonly\nrecognized basic components of a service-oriented architecture in\nPhase 1. FBI officials said that Phase 1\xe2\x80\x99s enterprise service bus and\nweb portal are both foundational components of a service-oriented\narchitecture and that the enterprise service bus was the only one of\nthe four common foundational components that was applicable to\nPhase 1.\n\n       At the IBR, according to Lockheed Martin the scope of work for\nPhase 1 included governance of Sentinel\xe2\x80\x99s service-oriented\narchitecture, web services, and preliminary public key infrastructure\n(PKI) services for the Sentinel system administrator login. 45 The FBI\nand Lockheed Martin also agreed the scope of the Phase 1 service-\noriented architecture would include the following: define and\ndocument the service-oriented architecture including the enterprise\nservice bus, portal, access control framework with single sign on, ACS\naccess, services management/governance, data protection/\ndistribution/ recovery, and workboxes.\n\n      However, at the time of the Phase 1 Preliminary Design Review,\nthe PMO told the FBI\xe2\x80\x99s Technical Review Board that the \xe2\x80\x9ccore service-\noriented architecture implementation design/components will be\npresented in Phase 2,\xe2\x80\x9d and \xe2\x80\x9c[t]he enterprise service bus description,\ndesign, architecture will be introduced during Phase 2.\xe2\x80\x9d In addition,\nthe PMO said, \xe2\x80\x9cPlease note that the bulk of service-oriented\narchitecture information will come during Phases 2, 3 and 4.\xe2\x80\x9d The\ntechnical report done for the combined Deployment Readiness Review\nand Site Testing Readiness Review states that a service-oriented\narchitecture \xe2\x80\x9ccould not be completed in Phase 1\xe2\x80\x9d and that it was\ndeferred to a later phase.\n\n\n\n\n       45\n         Service-oriented architecture governance is the policies and controls used\nto manage any changes to a service-oriented architecture. PKI is a system of\ncomputers, software, and data that relies on cryptography to provide some aspects\nof computer security.\n                                        - 34 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n       The System Requirements Specifications do not delineate\nrequirements for Sentinel\xe2\x80\x99s service-oriented architecture or the\nfoundational components of a service-oriented architecture. Because\nthe System Requirements Specifications are the source for\nrequirements allocation by phase to supporting program documents,\nsuch as the Requirements Clarification Document (RCD), the RCD did\nnot allocate any service-oriented architecture related requirements to\nPhase 1. Without any service-oriented architecture requirements, the\nFBI cannot test whether Phase 1 met the stated service-oriented\narchitecture objectives.\n\nTransferred Costs\n\n      Through a series of six contract modifications, the FBI increased\nthe total contract value of Phase 1 by $2.5 million, from $57.2 million\nto $59.7 million, but the overall contract value of $305 million did not\nchange. As expected in a project of Sentinel\xe2\x80\x99s size and complexity,\nsome of the modifications increased the scope of Phase 1, while others\ndecreased it. However, the decreases either transferred the cost for\nthe tasks to the Sentinel PMO budget or to the amount budgeted for\nLockheed Martin\xe2\x80\x99s award fee. For example, in March 2007 the FBI\nissued a modification which deleted tape silos (computer hardware\nthat uses tapes to store large amounts of computer data) from the\nPhase 1 contract. Although the tape silos were still necessary for\nPhase 1, the FBI purchased silos with more storage capacity with funds\nfrom the PMO\xe2\x80\x99s budget and used the funds originally allocated to the\ntape silos to offset the cost of additions to the scope of Phase 1. The\ntable below shows the deletions in scope to the Phase 1 task order.\n\n\n\n\n                                 - 35 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n                 Reductions in the Phase 1 Task Order\n\n        Item              Reason for Change                          Amount\n Waiver of award fee         Lockheed Martin                        ($482,712)\n                        volunteered to waive any\n                        award fee it might receive\n                        during the first evaluation\n                                  period\n  Capability Maturity   The PMO believed its staff                  ($503,826)\n  Model Integration    had the necessary expertise\n(CMMI) Level 3 for the   for the PMO to achieve\n             46\n        PMO                    CMMI level 3\n      Tape silos          higher-capacity silos                    ($2,106,877)\n                        purchased as part of FBI-\n                            wide procurement\n   Total Deletions                                                 ($3,093,415)\n       Source: FBI\n\n      The increases in scope to Phase 1 were for items that Lockheed\nMartin believed the government was obligated to provide, subsequent\nphases of Sentinel, the operations and maintenance of Phase 1, or\nrequirements added by the FBI. The following table shows the\nadditions in scope to the Phase 1 task order.\n\n\n\n\n       46\n           Capability Maturity Model\xc2\xae Integration is a process improvement approach\nthat provides the essential elements of effective processes. There are six capability\nlevels, numbered 0 through 5. Each capability level corresponds to a goal and a set\nof practices.\n                                         - 36 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n                  Additions to the Phase 1 Task Order\n\n        Item                     Reason for Change                 Amount\n     Xxxxxx Xxxx                 The software was not              $610,451\n     Xxxxxxxxxxx             included in the baseline bill\n      Xxxxxxxx 47              of materials and the FBI\n                             agreed it was necessary to\n                                   complete Phase 1\n  Work-in-progress            The FBI\xe2\x80\x99s Finance Division           $160,863\n    accounting for              added the requirement\n       Phase 1\n  xxxxxxxx Licenses         Phase 2 software purchased            $2,443,644\n   and Maintenance           at a price advantageous to\n                                        the FBI\n Ramp up for Phase 1           Lockheed Martin needed              $671,932\n   operations and             time to hire and train the\n    maintenance             personnel to operate Phase\n                                           1\n  Early Execution of            Allow Lockheed Martin             $1,512,385\n Planning for Phase 2        additional time to plan for\n                                       Phase 2\n    Non-Sentinel            Purchase enterprise license            $643,064\n xxxxxxxx Enterprise            at reduced price due to\n     License and             Sentinel purchase of same\n    Maintenance 48                     software\n  Total Additions                                                 $6,042,339\nSource: The FBI\n\n\n\n\n      47\n         Xxxx Xxxxxxxxxx Xxxxxxx xxxxx xx x xxxxxxxxxxx xxxx xxxxx xxxxxxx\nxxxxxxxxx xx xxxx xxxx xxxxxxxx xx xxxx xxx xxxxxxx xxxx xxx xxx xxxxxx xxxx\nxxxxx xxxxxxxx xxxxxxxx xxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxxxxxx\nxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxxx xxxx\nxxxxxxxxxxxxxxxxxxxxxx.\n      48\n          While the FBI purchased the xxxxxxxx enterprise license through the\nSentinel contract, Sentinel funds were not used for the purchase.\n                                        - 37 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nConclusion\n\n      Phase 1 delivered the two key components of Sentinel, the web-\nbased portal and the workboxes. However, it did not include all the\ndeliverables planned for Phase 1. While we cannot yet assess the full\nimpact of deferring some of the original Phase 1 deliverables to\nsubsequent project phases, we believe that deferring these\ndeliverables may add cost and schedule pressures to subsequent\nphases of the project. In addition, we question why cost adjustments\ndid not occur in Phase 1 due to reduced requirements.\n\n       The FBI\xe2\x80\x99s ITIM framework and the Sentinel PMO both establish\nprocesses that should enable the FBI to avoid the problems that\noccurred in the failed Trilogy project, but rigorous implementation of\nthese processes is necessary for the FBI to reduce the risks it faces in\nimplementing Sentinel. The schedule and cost issues the FBI\nencountered during Phase 1 demonstrate that inadequate\nimplementation of any of the disciplined processes in systems\ndevelopment can reduce or overcome the positive benefits of other\nprocesses. For example, the FBI\xe2\x80\x99s decision to allow Lockheed Martin\nto begin building Phase 1 without completing the design documents\nlikely had an impact on the time required for testing and the number\nof defects found during testing.\n\n      The FBI is currently reexamining whether the current\ndevelopment approach is best for the subsequent phases of Sentinel.\nOther approaches feature shorter phases and inherently lower the risk\nof spending substantial amounts of money on a deliverable that does\nnot meet the customer\xe2\x80\x99s needs. However, shorter phases may\nincrease the overall cost and schedule of Sentinel. In our judgment,\nwhile the FBI must continue to closely manage Sentinel\xe2\x80\x99s cost and\nschedule, the FBI\xe2\x80\x99s primary consideration in reevaluating Sentinel\xe2\x80\x99s\ndevelopment approach should be delivering a system that meets the\nneeds of the FBI regardless of how many discrete project phases may\nbe needed to accomplish that goal.\n\n\n\n\n                                  - 38 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c               REDACTED FOR PUBLIC RELEASE\n\n\nRecommendations\n\n    We recommend that the FBI:\n\n   1. Reconsider the four-phase approach to developing Sentinel to\n      limit the scope of future phases to allow them to be\n      completed in 9 months or less.\n\n   2. Negotiate decreases in the cost of future phases if\n      requirements are deferred in that phase.\n\n\n\n\n                               - 39 -\n\n               REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nFinding 2: Phase 2 Planning and Management Issues\n\n      The FBI has implemented several management controls\n      and processes that are designed to help it adequately\n      manage the development of Sentinel and bring it to a\n      successful conclusion. We reviewed four of these controls\n      and processes in-depth: (1) EVM, (2) independent\n      verification and validation (IV&V), (3) risk management,\n      and (4) bill of materials. We found that the FBI has made\n      significant progress in each of the four, but that additional\n      progress needs to be made in the implementation of EVM,\n      risk management, and the bill of materials.\n\n      In addition to these controls and processes, we found that\n      the FBI has identified lessons learned during Phase 1 of\n      the Sentinel project. We examined six key lessons that, if\n      acted upon, will aid the FBI in planning Phase 2 of the\n      Sentinel project and reduce risks. We also reviewed the\n      status of the recommendations we made in our previous\n      two reports on the Sentinel project and found that the FBI\n      is taking action to resolve our concerns. We have closed 5\n      of the 12 prior recommendations and note that the FBI\n      agreed with the remaining recommendations and was in\n      the process of taking corrective action. These\n      recommendations dealt generally with the FBI\xe2\x80\x99s need to\n      complete the required planning and general management\n      oversight policies and procedures for Sentinel in order to\n      help ensure its success.\n\nManagement Controls and Processes\n\n      The FBI has established four important management controls\nand processes that, if implemented correctly and fully, will help the FBI\nbetter manage the Sentinel project. However, the FBI needs to\nimprove its implementation of three of the controls and processes to\nensure their effective use.\n\nEarned Value Management\n\n       As we reported in December 2006, the FBI established an EVM\nsystem for Sentinel as required by OMB, and our current audit found\nthat the FBI is continuing to implement it. EVM helps manage project\nrisks by producing reliable cost estimates, evaluating progress, and\nallowing the analysis of project cost and schedule performance trends.\n                                  - 40 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nEVM compares the current status of a project, in terms of both cost\nand schedule, to the established cost and schedule baselines.\nDeviations between the baselines and the current status demonstrate\nthe project\xe2\x80\x99s progress and the overall level of performance, thereby\nenabling a level of accountability to be imposed on the project. When\nproperly implemented and utilized, EVM allows project management to\npinpoint potential problems and address them before they escalate.\n\n       According to the FBI\xe2\x80\x99s EVM plan, the Sentinel PMO will use the\nplan to measure both its and Lockheed Martin\xe2\x80\x99s earned value\nperformance and report the results to oversight entities. The Sentinel\nproject\xe2\x80\x99s Statement of Work requires vendors and contractors to fully\nimplement EVM in accordance with the plan, including having an EVM\nsystem of its own that complies with American National Standards\nInstitute (ANSI)/Electronic Industries Alliance (EIA) Standard\n748-A. 49 This allows the FBI to gather EVM data on the development\nportion of the project from Lockheed Martin through monthly electronic\ndata transfers from Lockheed Martin.\n\n      Our review of EVM reporting from September 2006 to March\n2007 showed that the FBI had continued to make efforts to implement\nEVM and use EVM data to help manage Phase 1 of Sentinel. Although\nthe FBI\xe2\x80\x99s implementation of EVM was consistent with the Department\xe2\x80\x99s\nguidance, several issues decreased the effectiveness of EVM as a tool\nto manage the Sentinel development contract.\n\n       Reliability of EVM Data\n\n       The most significant issue was the reliability of the EVM data\nLockheed Martin provided the FBI. In June 2007, the FBI rejected\nLockheed Martin\xe2\x80\x99s April 2007 EVM data after Lockheed Martin notified\nthe FBI that it estimated that it had incurred approximately $64.1\nmillion in costs during Phase 1 of Sentinel. Because the EVM baseline\nfor Phase 1 was $59.7 million, Lockheed Martin\xe2\x80\x99s estimate showed that\nits EVM system was not collecting accurate data on Sentinel costs as\nLockheed Martin was accruing the costs \xe2\x80\x93 one of the primary purposes\nof an EVM system. While Phase 1 was behind schedule, the EVM data\nindicated that the cost would not exceed the baseline of $59.7 million.\nIn the last EVM report released before the end of Phase 1, the FBI\n       49\n            ANSI/EIA Standard 748-A is the criteria selected by the OMB for EVM\nsystems. The standard includes 32 specific criteria in five process areas necessary\nfor a sufficient EVM system: (1) organization; (2) planning, scheduling and\nbudgeting; (3) accounting; (4) analysis and management reports; and (5) revisions\nand data maintenance.\n                                        - 41 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nestimated that on April 19, 2007, the original planned end date, there\nwould be enough unallocated funds to pay for an additional 5 weeks of\neffort by Lockheed Martin. In addition, the EVM data used for the\nMarch 2007 EVM report indicated that the project was on budget for\nthe amount of progress made.\n\n       Changes in Performance Measure Baseline\n\n       In addition, Lockheed Martin and the FBI agreed to several\nchanges in the performance measurement baseline, including two\nsignificant reallocations (also called \xe2\x80\x9creplanning\xe2\x80\x9d) of resources within\nthe original baseline amount of $57.2 million. 50 To remain compliant\nwith the ANSI/EIA Standard 748-A and OMB direction, the FBI must\ncontrol changes to the performance measurement baseline. To clarify\nwhat types of changes are appropriate and define the process for\nauthorizing changes, the Department\xe2\x80\x99s Office of the CIO (OCIO)\ndeveloped and distributed guidance on revisions to a project\xe2\x80\x99s\nperformance measurement baseline. Once the baseline has been\nestablished, any changes to it must be managed through a\ndocumented change control process. If a change is authorized, it\nshould be incorporated into both the project\xe2\x80\x99s budget and schedule in\na timely manner. Any changes to the baseline must be recorded prior\nto the commencement of the new work in the baseline revision.\n\n       The Department\xe2\x80\x99s guidance describes four categories of baseline\nrevisions: (1) internal replanning, (2) customer-directed change;\n(3) application of management reserve; and (4) reprogramming.\n\n       \xe2\x80\xa2    Internal replanning involves adjustments to future work in the\n            baseline as long as the adjustments do not affect the total\n            scope of work, baselined cost, or scheduled completion of the\n            project. Replanning, which requires the program manager\xe2\x80\x99s\n            authorization, should not result in any changes to the total\n            amount authorized or key schedule milestones. Replanning\n            may include revisions such as:\n\n              o adjusting future work between work packages within\n                the cost and schedule constraints of a single control\n                account;\n\n\n       50\n           Replanning revises the time-phased budget for completing the work\nremaining in a project without any changes to the total scope of work, baselined\ncost, or scheduled completion of the project.\n                                        - 42 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n           o adjusting future work between control accounts; and\n\n           o distributing undistributed budget to control accounts.\n\n     \xe2\x80\xa2   Customer-directed changes include contract changes and\n         modifications that typically add or remove scope to the\n         original performance measurement baseline. Funds from\n         contract changes and modifications should be distributed to\n         control accounts as soon as possible. While the contracting\n         officer authorizes the contract modification, the program\n         manager authorizes the change to the performance\n         measurement baseline. A customer-directed change may\n         result in an increase to the performance measurement\n         baseline and may require the adjustment of key milestones.\n\n     \xe2\x80\xa2   The management reserve, a portion of a project\xe2\x80\x99s budget set\n         aside to cover any unanticipated costs of a project\xe2\x80\x99s scope of\n         work, is not part of the project management baseline and\n         therefore its use requires a change to the baseline. The\n         program manager can authorize the use of the management\n         reserve, which may result in an increase to the performance\n         measurement baseline. However, the Department CIO should\n         authorize any changes to a project\xe2\x80\x99s key milestones.\n\n     \xe2\x80\xa2   Reprogramming revises the project baselines. This typically\n         takes place when project performance deviates significantly\n         from the original plan \xe2\x80\x93 usually the cost and time necessary\n         to complete the project\xe2\x80\x99s remaining work exceeds the budget\n         and schedule. Reprogramming sets planned value and\n         earned value equal to actual cost, thus eliminating any cost\n         and schedule variances. However, reprogramming should\n         always be accompanied by a thorough replanning of the\n         remaining work and should never be implemented solely to\n         eliminate current variances. Reprogramming is authorized by\n         the Department CIO and usually results in changes to the\n         performance measurement baseline and the adjustment of\n         key milestones.\n\n      Customer-directed changes, applying the management reserve,\nand reprogramming usually change the amount of the project\nmanagement baseline since these types of revisions adjust a project\xe2\x80\x99s\nscope, cost, or schedule. Customer-directed changes and application\nof the management reserve do not have any effect on the cost\nvariances or schedule variances. Reprogramming sets planned value\n                                 - 43 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nand earned value equal to actual cost, thus eliminating any cost and\nschedule variances. The Department\xe2\x80\x99s guidance refers to\nreprogramming as an extreme measure that should be applied when,\ndue to performance issues, all key stakeholders agree that the original\nplan was either seriously flawed or is no longer practical. Any baseline\nrevisions, regardless of the type, should be documented according to a\nchange control process compliant with the ANSI/EIA-748A guidelines.\n\n      We reviewed the revisions to the Sentinel Phase 1 performance\nmeasurement baseline and found that the FBI and Lockheed Martin\nrevised the project management baseline via internal replanning,\ncustomer directed change, and application of the management\nreserve. In addition, in a revision very similar to the application of\nmanagement reserve, Lockheed Martin and the FBI agreed to transfer\nabout $483,000 in potential award fees to supplement the\nperformance measurement baseline.\n\n       The most substantial of the revisions occurred in August 2006\nwhen, as part of a replanning effort, the FBI transferred about $15\nmillion from the distributed budget to the undistributed budget and,\nthrough a transfer from the management reserve, increased the\nperformance measurement baseline by $1.6 million. Almost all of the\ntransfer to the undistributed budget was the result of a decrease in the\namount budgeted for equipment. FBI officials said changes in the\nplanned equipment and uncertainty about other equipment\nnecessitated the transfer. This replanning effort also delayed the\ntiming of equipment purchases and moved the planned value\nassociated with those purchases. As shown below, the revisions had a\nsignificant impact on the project\xe2\x80\x99s planned value, the basis for\nmeasuring a project\xe2\x80\x99s progress against its schedule.\n\n\n\n\n                                 - 44 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n            Original Planned Value vs. Revised Planned\n                   April 2006 through May 2007\n\n\n        $60,000,000\n\n        $50,000,000\n                                                    Original Planned\n        $40,000,000                                 Value (1) (June\n                                                    2006)\n        $30,000,000\n                                                    Revised Planned\n        $20,000,000                                 Value (2) (March\n                                                    2007)\n        $10,000,000\n\n                 $0\n                     06\n                      6\n\n\n\n\n               D 6\n\n\n\n\n                      7\n                     06\n\n\n\n\n                     07\n                      6\n                   r-0\n\n\n\n\n                    -0\n\n\n\n\n                   r-0\n                   -0\n                  g-\n\n\n\n\n                  b-\n                  n-\n\n\n\n                 ct\n\n                ec\n               Ap\n\n\n\n\n               Ap\n               Au\n               Ju\n\n\n\n\n               Fe\n               O\n\n\n\n\n      Source: OIG analysis of FBI data\n\n      Compared to the original plan, these revisions reduced the\namount the FBI planned to accomplish from August 2006 through\nFebruary 2007. In July 2006, the EVM data showed Lockheed Martin\xe2\x80\x99s\nprogress was about 10 percent behind schedule. By October 2006,\n2 months after the replanning, the EVM data showed that Lockheed\nMartin was only 1 percent behind schedule. If the original plan had\nbeen in effect, Lockheed Martin would have been 24 percent behind\nschedule. However, neither the prior cost variance nor the prior\nschedule variance was set to zero as part of this replanning.\n\n       As previously discussed, the FBI issued a series of four contract\nmodifications which increased or decreased the scope of work and the\ncontract amount. These contract modifications also required revisions\nto the performance measurement baseline and the respective cost\naccounts. In addition, the modifications funded planning for Phase 2\nand preparation for Phase 1 operations and maintenance, both of\nwhich are outside of the scope of the development of Phase 1. In our\njudgment, frequent and numerous changes to the scope of work make\nEVM data less reliable. The Department\xe2\x80\x99s CIO agreed and said that\nrevisions to the performance management baseline are expected but\nfrequent revisions make it difficult to determine what the EVM data is\nmeasuring against.\n\n     The FBI\xe2\x80\x99s implementation of EVM comports with the\nDepartment\xe2\x80\x99s guidance and aids the FBI in managing the project, but\n                                     - 45 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nit does not provide all the data the OMB believes necessary for\noversight purposes. OMB officials said it would be helpful to them to\nbe able to compare Sentinel\xe2\x80\x99s performance to the original baseline. As\na result of OMB concerns that the FBI reprogrammed or rebaselined\nPhase 1 of Sentinel without the required OMB approval, we reviewed\nall changes to the time-phased budget used to measure Sentinel\xe2\x80\x99s\nprogress. We concluded that the FBI had not rebaselined the project,\nbut that its frequent replanning diminished the quality and usefulness\nof the EVM data for higher-level oversight.\n\nIndependent Verification and Validation\n\n       Inadequate implementation of any one of the disciplined\nprocesses in systems development can significantly reduce or\novercome the positive benefits of others. When this happens, it is\nimportant to act promptly to address risks so as to minimize their\nimpact. One way to monitor the processes used in systems\ndevelopment is to implement an IV&V process. In September 2006,\nthe FBI hired Booz Allen Hamilton (Booz Allen) to perform the IV&V\nfunction for the Sentinel project. Since then, Booz Allen has\nparticipated in FBI-only project meetings and joint FBI-Lockheed\nMartin project reviews. In addition, Booz Allen has provided written\ncomments and recommendations on many project documents, and\nproduced 15 project status briefings and monthly reports. Booz Allen\nalso produced monthly reports and biweekly briefings that were sent\ndirectly to the FBI\xe2\x80\x99s CIO.\n\n       These reports and briefings highlighted recent activities,\nupcoming events, and Booz Allen\xe2\x80\x99s view of the overall status of the\nproject, including a discussion of risks that could affect the project\xe2\x80\x99s\ncost, schedule, or performance. The IV&V products also included\nrecommendations and best practices. As of May 2007, Booz Allen had\nmade over 70 recommendations based on risks and other areas it\nidentified. Booz Allen also reported several project management and\noversight weaknesses that increased the risks associated with\nSentinel, including the following:\n\n      \xe2\x80\xa2   Design Incompleteness - In December 2006, the IV&V team\n          noted that the PMO staff made several hundred comments on\n\n\n\n\n                                  - 46 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n            System Design Document and the Interface Design\n            Document. 51 Due to the level of effort and time required to\n            address the comments in the documents, the PMO and\n            Lockheed Martin decided not to address these comments in\n            the final design documentation prior to development, but to\n            address the comments in the Software Product Specification,\n            which describes the specifications of a system as it was\n            actually built. Booz Allen was concerned that the developers\n            would create Sentinel without a complete understanding of\n            the agreed-upon design. Booz Allen recommended that the\n            FBI categorize and prioritize the comments, and then\n            requested that Lockheed Martin incorporate the high-priority\n            comments into revised documents.\n\n       \xe2\x80\xa2    Test Procedures - In December 2006, Booz Allen reviewed the\n            test procedures submitted by Lockheed Martin in preparation\n            for the Product Test Readiness Review (PTRR), which\n            assesses the readiness of a system for formal testing. (See\n            Appendix 3 for a description of a PTRR.) Booz Allen found\n            that 90 percent of procedures were unsatisfactory for\n            performing dry-run or system-level tests for one or more of\n            the following reasons: unclear test objectives, inadequate\n            text description of the test, insufficient details on the test\n            procedures, inadequate description of the results expected\n            from the test, or unclear user roles. Booz Allen warned that\n            inconsistent test procedures could result in inconclusive\n            evidence that the system met requirements and that the\n            project could be delayed since a verified set of test\n            procedures would be completed before proceeding to formal\n            testing. Booz Allen made a series of recommendations to\n            improve the test procedures and recommended that the FBI\n            and Lockheed Martin reexamine the testing schedule to\n            determine whether the needed improvements to the test\n            procedures would cause a delay in the start of formal testing.\n\n       In addition, as of May 2007 Booz Allen considered the following\nsignificant issues open and was tracking their resolution.\n\n\n\n       51\n           The System Design Document contains the design decisions made for the\nsystem as well as the system\xe2\x80\x99s architectural design and the services it will utilize.\nThe Interface Design Document details the design of and responsibility for both\ninternal data exchanges (within Sentinel) and external data exchanges (with systems\noutside of Sentinel).\n                                        - 47 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c            REDACTED FOR PUBLIC RELEASE\n\n\n\xe2\x80\xa2   Testing - In April 2007, Booz Allen noted that the Sentinel\n    system had been tested with a maximum of only 217\n    concurrent users, a load which Booz Allen viewed as\n    unrealistic. Because the limited load was not representative\n    of the user activity Sentinel would face once it was deployed,\n    Booz Allen concluded that Sentinel was vulnerable to\n    performance degradation \xe2\x80\x93 such as increased response times\n    \xe2\x80\x93 during periods of high workload. Booz Allen recommended\n    load testing with a number of users similar to the load that\n    would be placed on Sentinel once it was deployed nationwide.\n    Booz Allen believed this additional testing was necessary to\n    identify and fix any performance related errors prior to the\n    production release.\n\n\xe2\x80\xa2   Physical Architecture \xe2\x80\x93 In April 2007, Booz Allen identified the\n    proposed hardware system as a potential vulnerability due to\n    concerns about the system\xe2\x80\x99s ability to be available to users\n    whenever needed. Specifically, Booz Allen believed that the\n    system did not have the redundant components needed to\n    keep it up and running should a server fail. Booz Allen\n    recommended enhancing the current hardware architecture to\n    ensure higher availability, reliability, and performance of the\n    Sentinel system.\n\n\xe2\x80\xa2   Earned Value Management \xe2\x80\x93 Lockheed Martin was not\n    contractually required to generate variance analysis reporting\n    at the control account level. As a result, Booz Allen reported\n    that Lockheed Martin did not provide in-depth insight into the\n    cost and schedule drivers for the discrete technical areas.\n    While the PMO required Lockheed Martin to complete a \xe2\x80\x9croot\n    cause\xe2\x80\x9d analysis when a substantial variance occurred for the\n    program as a whole, it did not require one for variances in\n    major control accounts. Booz Allen was concerned that a\n    high-level analysis of the program\xe2\x80\x99s variances from the plan\n    would not allow the FBI to completely evaluate the technical\n    risk posed by the variance or Lockheed Martin\xe2\x80\x99s proposed\n    strategy for eliminating the variance. In addition, Booz Allen\n    had the following EVM concerns:\n\n          o Activities in the Integrated Master Schedule (IMS)\n            without Work Breakdown Structure Alignment \xe2\x80\x93 Booz\n            Allen identified several activities in the IMS without\n\n\n                             - 48 -\n\n            REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n                    baseline dates and with no cross-reference to the\n                    work breakdown structure. 52\n\n                 o Inaccurate Statusing (reporting of level of\n                   completion of an activity) \xe2\x80\x93 Booz Allen reported that\n                   the IMS showed that Lockheed Martin had claimed\n                   that some tasks were completed when they were\n                   not. For example, Lockheed Martin reported that it\n                   delivered the Security Vulnerability Risk Matrix on\n                   March 12, 2007, and recorded the task as 100\n                   percent complete in the IMS. However, the matrix\n                   Lockheed Martin submitted was essentially a copy of\n                   the FBI template and contained no data. Booz Allen\n                   expressed concern that the ground rules for taking\n                   credit for meeting a task may only require\n                   deliverable submission and not address quality,\n                   acceptance by the FBI, and rework.\n\n                 o IMS Logic Conflicts \xe2\x80\x93 These types of IMS constraints\n                   limit impact analysis. Activities with \xe2\x80\x9chard\n                   constraints\xe2\x80\x9d are likely to adversely impact the critical\n                   path. Booz Allen noted that the IMS used \xe2\x80\x9chard\n                   constraints\xe2\x80\x9d such as \xe2\x80\x9cMust Finish On.\xe2\x80\x9d The use of\n                   hard constraints created conflicts in the underlying\n                   logic of the schedule. For instance, the use of \xe2\x80\x9cMust\n                   Finish On\xe2\x80\x9d forced the scheduling software to record\n                   that a given activity finished on the \xe2\x80\x9cMust Finish On\xe2\x80\x9d\n                   date, regardless of whether that activity was finished\n                   early or had not yet been completed. Without an\n                   accurate record of when the task is completed, it is\n                   difficult to assess when tasks that depend on the\n                   completion of the first task can begin.\n\n      The IV&V process has resulted in numerous Booz Allen\nrecommendations related to Sentinel Phase 1 development. We\nbelieve that Booz Allen has been able to identify areas of concern,\nexplore them, develop recommendations and inform FBI decision\n\n      52\n          At a minimum, an integrated master schedule shows the expected start\nand stop dates for each event and accomplishment in a project\xe2\x80\x99s integrated master\nplan. To aid in the day-to-day management of a program, each event or\naccomplishment may be broken down into multiple level hierarchy of tasks necessary\nto achieve the larger task. A work breakdown structure is a tool for defining the\nhierarchical breakdown of tasks and activities in an integrated master schedule.\n\n                                      - 49 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nmakers in a timeframe that allows for meaningful changes to the\nproject. See Appendix 6 for a list of Booz Allen\xe2\x80\x99s IV&V\nrecommendations.\n\nRisk Management\n\n      The FBI has instituted a risk management process to identify and\nmitigate the risks associated with the Sentinel project. The risk\nprocess is managed by the Sentinel Program Manager and a Risk\nReview Board, which, according to the Risk Management Plan, is\nsupposed to meet biweekly. 53 The most significant risks identified by\nthe board are examined at monthly Program Management Review\nsessions and other Sentinel oversight meetings in accordance with the\nFBI\xe2\x80\x99s Life Cycle Management Directive (LCMD). 54\n\n       The purpose of risk management is to assist the program\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\nprogram. A risk management plan identifies the procedures used to\nmanage risk throughout the life of the program. In addition to\ndocumenting the risk approach, the plan focuses on how the risk\nprocess is to be implemented; the roles and responsibilities of the\nprogram manager, program team, and development contractors for\nmanaging risk; how risks are to be tracked throughout the program\nlife cycle; and how mitigation and contingency plans are implemented.\n\n       According to the Sentinel Risk Management Plan, risks are to be\nidentified, managed, and tracked throughout the life of the project.\nWhen a proposed risk is brought before the Risk Review Board, the\nboard\xe2\x80\x99s voting members decide whether or not to accept the risk as an\n\xe2\x80\x9copen\xe2\x80\x9d risk and, if accepted, vote on the severity the risk will have on\nthe project\xe2\x80\x99s cost, schedule, and performance and the probability the\n\n\n       53\n           According to the Sentinel Risk Management Plan, the Sentinel Risk Review\nBoard will include representatives from the following: program manager, systems\nengineer, program manager support personnel, systems engineer support personnel,\nprogram sponsor, users, the prime contractor, sub-contractors (as determined by the\nprime contractor), the Project Assurance Unit, and the Sentinel risk coordinator.\n       54\n           In addition to the risk management processes cited above, the following\nreceive briefings that include information about Sentinel risks: the FBI Director\n(weekly); a review team with senior representatives from the Department of Justice,\nOMB, and Director of National Intelligence (monthly); the FBI CIO\xe2\x80\x99s Advisory Council\n(bi-monthly); the FBI Director\xe2\x80\x99s Advisory Board (as requested); and congressional\noversight committees (quarterly).\n                                         - 50 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\nrisk will occur. Risks brought before the Risk Review Board are\ndocumented in a risk register, which includes the following:\n\n          \xe2\x80\xa2    description of the risk,\n          \xe2\x80\xa2    impact on the program should the risk occur,\n          \xe2\x80\xa2    phase of Sentinel affected by the risk,\n          \xe2\x80\xa2    person responsible for managing the risk,\n          \xe2\x80\xa2    OMB risk category,\n          \xe2\x80\xa2    severity of the risk as voted by the Risk Review Board,\n          \xe2\x80\xa2    probability the risk will occur as voted by the Risk Review\n               Board,\n          \xe2\x80\xa2    strategy to mitigate the risk,\n          \xe2\x80\xa2    risk status,\n          \xe2\x80\xa2    contingency trigger, and\n          \xe2\x80\xa2    contingency plan.\n\n      The risk register lists open risks in rank order based on the risks\xe2\x80\x99\nprobability and severity ratings. The PMO is responsible for tracking\nand periodically reviewing risks that are closed or resolved to prevent\nrecurrence and to document the effectiveness and any unintended\nconsequences of the mitigation strategy employed. Generally,\nSentinel\xe2\x80\x99s mitigation strategy has been to develop a series of actions\nthat will decrease the probability a risk will turn into an issue or to\nreduce the severity of a risk\xe2\x80\x99s impact on Sentinel.\n\n       Program risks include risks that are identified and managed by\nthe development contractor as well as risks that can only be identified\nand managed by the FBI. This requires that risk management be\nperformed by the vendor and subcontractors to identify risks from the\ncontractor perspective, and by the FBI program management team to\nidentify risks from the FBI\xe2\x80\x99s perspective.\n\n       As of April 2007, the FBI had identified and was managing 16\nopen risks to the Sentinel program, including the following top-ranked\nrisks:\n\n      \xe2\x80\xa2       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n      \xe2\x80\xa2       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n              xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;\n\n      \xe2\x80\xa2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                      - 51 -\n\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n      \xe2\x80\xa2   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n          xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n      Risk Management Challenges\n\n      We view the FBI\xe2\x80\x99s ability to interface with other FBI IT systems\nfrom which it will extract data as a potentially significant challenge.\nThe project manager said that during the planning stage of Sentinel,\nhe was assured by the FBI that the documentation about ACS that\nLockheed Martin needed in order to develop Sentinel existed.\nHowever, as discussed previously, Lockheed Martin had unanticipated\nproblems with the ACS system documentation. In order for Sentinel to\nbe able to extract information from ACS files, Lockheed Martin had to\nreverse engineer ACS to create satisfactory system documentation,\nwhich was then used to build the necessary interfaces between the two\nsystems. According to the project manager, as part of the\ndocumentation re-creation Lockheed Martin had to develop new\ndocumentation for approximately 71 modules. The unexpected project\ntook 4 weeks to design and an additional 4 weeks to develop. As a\nresult, the Sentinel Program Manager has identified the potential lack\nof adequate documentation for other systems\xe2\x80\x99 interfaces and business\nprocesses as a risk to the remaining phases of Sentinel. This risk has\nthe potential to impact both the budget and schedule of the Sentinel\nproject.\n\n       We also view the FBI\xe2\x80\x99s ability to prepare the data for transfer\nfrom ACS into Sentinel as a significant challenge. Much of the work to\nbe done for data cleansing will depend on the condition of the data in\nACS, which is the data to be cleansed then migrated to Sentinel.\nAccording to the FBI, one significant problem in ACS is that the data\nfields do not check or correlate. This means that data in a given field\nmay not represent the data expected in that field. For example,\n\xe2\x80\x9cXXXXX\xe2\x80\x9d could be entered in the field for recording the date an item\nwas entered into ACS. If a large amount of data in ACS is in this or a\nsimilar condition, this could have a significant impact on Sentinel\xe2\x80\x99s\ndevelopment schedule.\n\n       Migration of data from ACS to Sentinel is another potential\nsignificant challenge. There are more than 23 million records in ACS\nthat will need to be migrated to Sentinel, and a major problem for the\ndata migration is that ACS data is linked by serial numbers. One of\nthe challenges will be to keep the data together during migration. In\naddition, the timing of this data migration will be crucial. During data\nmigration there needs to be a minimal number of new ACS entries;\n                                  - 52 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\notherwise migration can never be fully completed. One idea the FBI is\nconsidering is to make ACS inaccessible for a period of time during this\nmigration. Two other options are to turn off the electronic case file\n(ECF) on ACS and only allow entries into Sentinel while still using the\nACS user interface or to flag ECF data when it has been accessed and\nqueue the flagged data for migration into Sentinel within 24 hours.\n\n       Our review of the April 30, 2007, risk register showed that the\nmajority of the 16 open risks are most likely to affect the second\nphase of the Sentinel project. 55 As shown in the following chart, the\nRisk Review Board classified 15 of the 16 (94 percent) risks as having\na potential impact on Phase 2. 56 Appendix 7 lists the 16 risks in order\nof priority as well as the phase of Sentinel they could affect.\n\n                        Open Risks by Sentinel Phase\n\n\n\n\n                   Phase 1 & 2 (2    Phase 1 (1 Open\n                    Open Risks)           Risk)\n\n\n\n\n                                                                             Phase 1\n                                                                             Phase 2\n                                                                             Phase 1 & 2\n\n\n\n\n                                     Phase 2 (13 Open\n                                          Risks)\n\n\n\n       Source: OIG analysis of FBI data\n\n       Risk Mitigation Strategies\n\n      According to the Risk Management Plan, a risk mitigation\nstrategy should be developed for each open risk to eliminate or reduce\nthe probability or impact of the risk on Sentinel\xe2\x80\x99s success. According\n\n       55\n          The April 30, 2007, risk register is the latest register that the FBI\nprovided us.\n       56\n            Two risks were assigned to both Phases 1 and 2.\n                                         - 53 -\n\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nto the Risk Management Plan, risk mitigation strategies should include\nthe following information:\n\n       \xe2\x80\xa2    description of the mitigation activity (required),\n\n       \xe2\x80\xa2    organization and individual responsible for executing the\n            mitigation strategy (required),\n\n       \xe2\x80\xa2    measure of effectiveness (required),\n\n       \xe2\x80\xa2    schedule of activities with completion dates, and\n\n       \xe2\x80\xa2    resources required and cost estimates of additional activities\n\n       The Risk Management Plan requires a mitigation strategy for any\nopen risk assessed with at least a medium impact or probability of\noccurrence and calls for the mitigation strategies to be recorded in the\nrisk register. The strategies should be reviewed and revised during\nteam status meetings and risk management meetings.\n\n       We reviewed the April 30, 2007, risk register and found that the\nFBI had developed mitigation strategies for the 9 risks for which a\nstrategy is required. 57 However, we found that mitigation strategies\nfor all 9 were incomplete because none of them included a description\nof how the effectiveness of the mitigation strategy would be measured.\nIn addition, none of the mitigation strategies described the resources\nrequired to implement the strategy or the cost of its implementation.\n\n       Contingency Plans\n\n       According to the FBI\xe2\x80\x99s risk management plan, the Sentinel PMO\nshould develop a \xe2\x80\x9ccontingency trigger\xe2\x80\x9d and a contingency plan for each\nrisk it is managing that has a probability or severity rated as at least\nmedium by the Risk Review Board. A contingency trigger is an event\nthat would convert a risk into an operational issue and cause the FBI\nto implement a risk\xe2\x80\x99s contingency plan. However, we found that the\nApril 30, 2007, risk register included a contingency trigger and\n\n       57\n           Of the 16 open risks in the April 30, 2007, risk register, 6 had both a\nprobability of occurrence and severity of impact assessed below \xe2\x80\x9cmedium\xe2\x80\x9d and are\ntherefore not required to have a mitigation strategy. However, the FBI developed\nmitigation strategies for them anyway. One of the 10 remaining risks did not have\nprobability or severity ratings, so we could not determine whether it required a\ncontingency plan.\n\n                                       - 54 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\ncontingency plan for only 3 of the 9 risks required to have a\ncontingency plan. In addition, only 2 of the risks ranked in the top 5\nrisks had a contingency trigger or plan. Yet, while the FBI is not fully\ncomplying with the risk management plan\xe2\x80\x99s contingency trigger and\ncontingency plan requirements, we found that the FBI\xe2\x80\x99s compliance\nhas improved since our previous audit in December 2006.\n\n      The Sentinel Risk Manager said that the Phase 1 schedule delays\nhad caused the Sentinel PMO to focus its efforts on avoiding further\ndelays and that the discipline required to maintain the risk register had\nbeen diverted to other tasks. That explanation notwithstanding, we\nbelieve there should be a contingency plan developed for each major\nrisk having the potential to result in a significant cost, schedule, or\nperformance deviation from the project baselines.\n\n      Closed Risks\n\n       According to the Sentinel Risk Management Plan, risks that are\nresolved or closed will continue to be tracked and periodically reviewed\nto prevent occurrence and to document effectiveness and unintended\nconsequences of the mitigation strategy employed. We reviewed the\n68 closed risks in the April 30, 2007, risk register and found no\nevidence that the mitigation strategies for 32 of the risks had been\nfully implemented. We recognize that full implementation of a risk\xe2\x80\x99s\nmitigation strategy may not be necessary to prevent a risk from\noccurring. However, none of the entries for the 32 risks indicated that\nfull implementation of the mitigation strategy was not warranted. To\nmaintain the integrity of Sentinel\xe2\x80\x99s risk management process and to\nshow that the FBI has effectively addressed all closed risks, we believe\nthat the basis for closing risks should be clearly documented in the\nSentinel risk register.\n\n      Risk Register Maintenance\n\n      The Sentinel Risk Management Plan requires that the Sentinel\nRisk Review Board meet at least biweekly and that the risk register be\nupdated after each meeting. We found during the period from\nAugust 11, 2006, through May 4, 2007, the Sentinel Risk Review\nBoard met 16 of the required 20 times. During this 8-month period,\nwe identified 4 periods when the Risk Review Board went 3 weeks or\nmore without meeting. The Sentinel Risk Manager told us holidays\nand major program reviews caused the lapses in the standard meeting\nschedule.\n\n                                  - 55 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n       In addition, we found other problems with the maintenance of\nthe risk register.\n\n      \xe2\x80\xa2   The risk register did not always accurately document the date\n          of the Risk Review Board meeting, suggesting to us that FBI\n          personnel could not determine whether they were looking at\n          the most recent risk information.\n\n      \xe2\x80\xa2   Some risk registers with different dates were exact\n          duplicates, indicating to us that the risk information had not\n          been updated.\n\n       When the FBI does not adhere to the disciplined processes\nrequired by the Sentinel Risk Management Plan, the project becomes\nincreasingly vulnerable to risks. For Sentinel to succeed, risks must be\ndiligently monitored and managed, and accurate data on the risks\nfacing Sentinel must be available to the PMO staff as well other\noversight organizations both within and outside the FBI.\n\n      Risk Ownership\n\n       When a new risk is opened, the Sentinel Risk Review Board\nassigns an owner to that risk. Risk owners are required to: (1) draft\nthe risk mitigation plan; (2) determine contingency triggers, (3) draft\ncontingency plans to reduce the impact of a risk condition actually\noccurring, (4) report on statistics, and (5) ensure that mitigation plan\nis implemented. At the time of our audit, most risk owners headed\none of the units that make up the Sentinel PMO. Most of the risk\nowners also sat on Sentinel\xe2\x80\x99s risk review board. We support the idea\nof having one person taking a lead role in managing each risk.\nHowever, as discussed below, the process of risk ownership does not\nappear to be functioning as intended. Specifically, during interviews\nwith risk owners we found that some:\n\n      \xe2\x80\xa2   could not explain the nature of the risks they had been\n          assigned,\n\n      \xe2\x80\xa2   were not the most active in designing or implementing the\n          strategy for mitigating the risk,\n\n      \xe2\x80\xa2   thought they did not have the expertise to fulfill their role as\n          risk owner, or\n\n\n                                   - 56 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n      \xe2\x80\xa2   thought they did not have the authority or capability to\n          implement a risk\xe2\x80\x99s mitigation strategy.\n\n       In addition, the responsibility for managing Sentinel\xe2\x80\x99s risks is\ndisproportionate; two people were responsible for the majority of the\nrisks open as of April 2007. In our judgment, risks cannot be\nadequately managed if the personnel assigned cannot do not have the\nrequired expertise or cannot devote a sufficient amount of time to a\nparticular risk.\n\n      Issue Tracking\n\n       According to the Sentinel Risk Management Plan, risks that are\nconsidered unavoidable, and therefore its mitigation strategy options\nare outside of Sentinel program management control, are to be\nassigned as an issue and tracked and reported accordingly. If a risk is\nidentified as an issue by the Sentinel PMO, it is transferred from the\nopen risk section of the risk register to the closed risk section, where it\nis no longer actively managed. However, the FBI has not implemented\na system to track issues and their resolution. Sentinel officials told us\nthat they are aware of the need to actively manage issues and are\nconsidering different methods to do so.\n\n       The FBI has made significant progress in implementing a\nprogram to manage the risks that threaten Sentinel\xe2\x80\x99s cost, schedule,\nand performance. However, the effectiveness of the risk management\nprogram depends on disciplined implementation, and we found that\nthe FBI has not always adequately implemented the processes\nnecessary to reduce the risks that Sentinel faces. With respect to\ncurrently identified project risks, we view the FBI\xe2\x80\x99s ability to interface\nwith the systems from which it will extract data as a potentially\nsignificant challenge. In Phase 1, Lockheed Martin had unanticipated\nproblems connecting Sentinel with ACS because there was no detailed\ndocumentation describing how ACS works. Consequently, Lockheed\nMartin had to create the documentation itself. The Sentinel PMO did\nnot anticipate this task because the managers of ACS told the PMO\nthat all of the necessary documentation existed. Because this\nunexpected task strained both the Phase 1 budget and schedule, the\nPMO is now tracking documentation for the other systems with which\nSentinel must interface as a risk.\n\n\n\n\n                                   - 57 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nBill of Materials\n\n       A Bill of Materials (BOM) is a document that centralizes\ninformation from numerous system documents. The BOM should list\nall parts and components, both hardware and software, that comprise\nan IT system. According to the FBI\xe2\x80\x99s LCMD, a BOM should provide a\ncomplete list of all parts, assemblies, COTS equipment, and software\nthat make up the system as well as the information required to\nconstruct new units for the system or order spare parts for it.\n\n     Lockheed Martin submitted a BOM, as required, as part of its\nproposal when competing for the Sentinel project. Contractually,\nLockheed Martin is required to purchase the list of items on the BOM.\nHowever, as is to be expected in a project as complex as Sentinel,\nLockheed Martin has needed to revise the BOM submitted in its\nproposal. Several allowable reasons for BOM revisions include:\n\n      \xe2\x80\xa2   Specific models of equipment have become obsolete prior to\n          purchase;\n\n      \xe2\x80\xa2   Model numbers of specific equipment have changed;\n\n      \xe2\x80\xa2   The cost of specific hardware or software has changed;\n\n      \xe2\x80\xa2   Items were mistakenly omitted on the original BOM; and\n\n      \xe2\x80\xa2   The design or approach of Sentinel has evolved as the project\n          has progressed.\n\n      Because of the importance of having an accurate BOM, the\nSentinel PMO established a BOM Deviation Policy. This policy\nestablishes the criteria for what constitutes a change to the BOM and\nwhether Lockheed Martin needs the FBI\xe2\x80\x99s approval prior to making a\nchange to the BOM. The policy defines a deviation as any difference\nbetween the original cost, model number or purchase date, or any\naddition or deletion of material. Lockheed Martin must obtain approval\nfrom the Sentinel Contracting Officer\xe2\x80\x99s Technical Representative\n(COTR) for changes when the cost of materials to be purchased\nincreases from the originally proposed cost by the lesser of 5 percent\nor $1,000, or there is a change to the purchase date of material by\n\n\n\n\n                                  - 58 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n30 days or more. 58 However, changes to the BOM resulting from\nSentinel Configuration and Change Management Board proceedings do\nnot require approval from the COTR. 59 Every month, Lockheed Martin\nis required to submit a BOM Deviation Report that lists all changes\nmade to the BOM in the last month, regardless of whether FBI\napproval is needed.\n\n      According to the Sentinel COTR, Lockheed Martin also\nestablished its own procedures for making changes to the BOM,\nrequiring its Engineering Review Board to approve every change\nrequest before seeking approval from the FBI. However, according to\nthe COTR Lockheed Martin employees viewed approval by the\nEngineering Review Board as final and therefore did not submit all\nchanges to the FBI as required. The Sentinel PMO has recognized that\nLockheed Martin employees were not fully aware of the PMO\xe2\x80\x99s policies\nfor making changes to the BOM and has begun working with Lockheed\nMartin to clarify its policies.\n\n      In addition to not following the policy for making changes to the\nBOM, Lockheed Martin also did not submit the required BOM Deviation\nReports. According to the Sentinel COTR, Lockheed Martin\xe2\x80\x99s failure to\nsubmit the deviation reports was linked to confusion about the\napproval process for making changes to the BOM, as discussed above.\nInstead of BOM Deviation Reports, Lockheed Martin provided periodic\nequipment purchase reports to the PMO. However, these reports could\nnot be reconciled to the BOM and did not document proper FBI\napproval, so the PMO could not verify whether all items on the\npurchase report were listed on the BOM or received FBI approval. The\nsame was true of Lockheed Martin\xe2\x80\x99s invoices.\n\n       The Sentinel PMO is aware of these shortcomings and has\nestablished a joint Lockheed Martin-FBI team to revise the PMO\xe2\x80\x99s\npolicies for making changes to the BOM. FBI officials said the revised\npolicy would include solutions to all of the issues discussed above. In\n       58\n           The Sentinel COTR is assigned to the Business Management Unit and\nassists the contracting officer with the technical oversight necessary to execute the\nSentinel contract. Specifically, the COTR is the official recipient of all contract\ndeliverables, coordinates the delivery of government furnished equipment and\ninformation to the prime contractor, and verifies invoices.\n       59\n          The Sentinel Configuration and Change Management Board is responsible\nfor approving updates to any of Sentinel\xe2\x80\x99s baselines. The Board adjudicates\nproposed changes affecting system requirements, configuration management, risk\nmanagement, and documents that affect the project\xe2\x80\x99s scope, schedule and cost.\n\n                                        - 59 -\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\naddition, at the close of Phase 1 the FBI required Lockheed Martin to\nsubmit a BOM documenting the system as it was built and reconcile\nthat BOM to Lockheed Martin\xe2\x80\x99s invoices.\n\n       In addition to the issues with which the FBI was aware, we\nidentified another significant flaw in the PMO\xe2\x80\x99s BOM deviation policy.\nWhile the policy states that a deviation is any addition or deletion to\nthe BOM, the policy does not require FBI approval for these additions\nor deletions. Instead, the policy only requires approval for cost\nincreases and changes to purchase dates for items already on the\nBOM. The lack of written procedures for making changes to the BOM\nincreases the risk that the document will not provide an accurate\nreflection of the equipment that has been purchased or that needs to\nbe purchased to ensure successful completion of the project. This\ninformation is necessary to control costs, manage property, and\nprevent unnecessary or wasteful purchases. The Sentinel PMO agreed\nwith our concerns and said that this issue would be addressed in\nrevised BOM policies.\n\n       According to Lockheed Martin records obtained from the FBI,\nchanges to the BOM have been significant, resulting in a reduction of\nnearly $7 million from the cost of Phase 1. As shown in the following\ntable, during Phase 1 Lockheed Martin deferred the purchase of $5.8\nmillion worth of equipment to later phases and purchased $1.5 million\nworth of equipment originally scheduled to be purchased during future\nphases. Coupled with changes resulting from modifications in the\ndesign of Sentinel and the substitution of newer equipment not\navailable at the time of Lockheed Martin\xe2\x80\x99s proposal, the cost of\nmaterials for Phase 1 decreased by nearly $7 million.\n\n\n\n\n                                 - 60 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n                    Changes to the Bill of Materials\n\n    Description of                                             Total Added\n                            Added Cost            Savings\n        Change                                                Cost & Savings\nDeferred Equipment\nPurchases (from Phase             $0            -$5,830,907    -$5,830,907\n1 to future phases)\nForwarded Equipment\nPurchases (from future       $1,541,887              $0         $1,541,887\nphases to Phase 1)\nChange in Equipment\n                                  $0            -$3,081,112    -$3,081,112\nDesign or Selection\nAdditions, Price\nModifications, and            $434,768               $0         $434,768\nDeletions\n Total                      $1,976,655          -$8,912,019    -$6,935,364\nSource: Lockheed Martin data obtained from the FBI\n\n       We concluded that the FBI needs better controls to ensure the\naccuracy of the equipment on the BOM and adequate cost control and\nproperty management. In addition, we found that the FBI cannot\ntrack changes made to successive versions of the BOM. Without a\nreliable system to track equipment purchased by the BOM to FBI\nproperty management records, the opportunity exists for the loss of\nsystem equipment. Management of project costs is also made more\ndifficult, resulting in the increased possibility that project funds could\nbe wasted. Finally, absent a way to document changes as the BOM is\nupdated, it is difficult to determine whether the listed equipment is\ncurrent and necessary for completion of the project.\n\n       The Sentinel Program Manager agreed with our assessment of\nthe BOM deviation policy. He acknowledged that he has found\ndiscrepancies between the BOM and the equipment listed in the FBI\xe2\x80\x99s\nproperty management system. As noted above, one of the close-out\nactivities for Phase 1 was a line-by-line inventory of all equipment\nlisted on the BOM.\n\nPlanning for Phase 2 and Lessons Learned\n\n      The FBI\xe2\x80\x99s experience with Phase 1 has had a substantial impact\non planning for the remaining phases of Sentinel. At the conclusion of\nour audit field work in May 2007, the FBI\xe2\x80\x99s Phase 2 activities were\nlimited to planning rather than development. The FBI and Lockheed\n                                       - 61 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nMartin were examining the best way to divide the remaining Sentinel\ndevelopment tasks. To accomplish this, Lockheed Martin and the FBI\nwere negotiating an engineering change proposal to replan the\nremaining work, but the FBI had not decided on the number of\nsubsequent phases or the content of those phases. However, FBI\nofficials said the cost estimate and overall timeframe of Sentinel\ncompletion by December 2009 had not changed. Below we discuss six\nlessons the FBI and Lockheed Martin learned during Phase 1 and how\nthe FBI plans to adjust future phases to reduce risk identified by these\nlessons.\n\nComplexity of COTS Integration\n\n      In our December 2006 Sentinel report, we cited the integration\nof COTS components into a system that meets the FBI\xe2\x80\x99s needs as one\nof the most significant risks to Sentinel\xe2\x80\x99s cost, schedule, and\nperformance. During Phase 1, integrating COTS software proved to be\na significant challenge for Lockheed Martin, one that contributed to the\ndelay in the delivery of Phase 1. This challenge was compounded by\nSentinel\xe2\x80\x99s use of relatively new software and the need for personnel\nwith security clearances.\n\n      According to the Chief of the Sentinel System Development Unit,\nwhile the complexity of integrating COTS software also will affect\nsubsequent phases of Sentinel, it is difficult to determine the degree of\nthe impact. In an effort to mitigate the schedule and cost risks\nassociated with these complexities, the FBI and Lockheed Martin plan\nto set up a prototyping lab for Phase 2 in which engineers will be able\nto test early in the phase how different COTS products interact when\nthey are integrated. This will allow engineers to gain early insight into\npotential problems that may occur during Phase 2 and allow Lockheed\nMartin enough time to adjust its design accordingly.\n\nInterfacing with ACS is Complex\n\n      The web portal developed in Phase 1 displays data stored in\nACS. To accomplish this, Lockheed Martin had to build interfaces\nbetween Sentinel and ACS, a task during which Lockheed Martin\ngained familiarity with the complexity of interfacing with ACS.\nAccording to Sentinel PMO officials, the documentation or blueprints\nfor ACS were not sufficiently detailed to allow Lockheed Martin to build\nthe interfaces necessary for Phase 1 as it initially intended. Instead,\nas described previously, Lockheed Martin had to reverse engineer and\nfix approximately 30 interfaces to build the Phase 1 portal. This\n                                  - 62 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nunexpected additional work resulted in a significant strain on the\nproject schedule and budget.\n\n       To minimize the cost and schedule risk associated with\ninterfacing with ACS and other legacy systems, the FBI plans to\nreexamine the functionality of the subsequent phases of Sentinel and\nthe need to interface with the FBI\xe2\x80\x99s legacy systems. At a March 2007\nmeeting, the FBI eliminated from the project plans several interfaces\nwith little-used FBI legacy systems. As discussed previously, the FBI\nand Lockheed Martin are currently restructuring the remaining phases\nof Sentinel and a major factor in that restructuring is the desire to\nminimize temporary interfaces with ACS.\n\nPhase 1 Schedule Focused on Documents\n\n      According to the FBI\xe2\x80\x99s Sentinel Program Manager, some of the\ndeliverables in the Phase 1 schedule were documents. However, in\nsome cases, Lockheed Martin delivered incomplete or poorly\nconstructed documents so that it could meet due dates. Because\nthese documents did not serve their intended function, the project was\ndelayed.\n\n      According to the program manager, the Phase 2 deliverables will\nbe based more on the delivery of functionality rather than the delivery\nof documents. For example, Lockheed Martin may not be required to\ndeliver a document detailing the Phase 2 design if the same need can\nbe met using computer software. While some of the Phase 2\ndeliverables will still be documents, their purpose will be to support a\nspecific function. According to the PMO, documents delivered by\nLockheed Martin will not be accepted unless they meet FBI standards.\n\nWeaknesses in Phase 1 Requirements Validation\n\n      Requirements validation is the process by which FBI and\nLockheed Martin personnel meet during what is called the\nRequirements Clarification Review (RCR) to discuss the requirements\nto be completed during the upcoming phase of the project. The RCR is\nheld at the beginning of each phase. During the RCR, requirements\nthat were identified at the beginning of the project are reviewed by\nboth parties to determine whether the functionality provided by\ncompletion of the requirement is still necessary. If the requirement is\ndetermined to still be applicable to the project, RCR participants then\nbreak the requirement down into sub-requirements to be completed in\nsupport of the main requirement. The product of the RCR is the\n                                 - 63 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nRequirements Clarification Document (RCD) which delineates the\nrequirements and sub-requirements to be competed during the current\nphase.\n\n      FBI officials said that not enough time was devoted to\nrequirements validation during Phase 1 and consequently some of the\nPhase 1 requirements were unclear or incomplete. These\nshortcomings in the Phase 1 requirements led to disagreements with\nLockheed Martin about the design of Phase 1 and created problems\nduring testing. To resolve the issues stemming from the Phase 1\nrequirements validation, the PMO and Lockheed Martin plan to began\nPhase 2 requirements validation well in advance of the start of Phase 2\nand devote more time to the effort.\n\nScheduling of Design Reviews\n\n      The Phase 1 schedule did not allow enough time between the\nPreliminary Design Review, the Critical Design Review, and the Final\nDesign Review. Key design documents must be developed by\nLockheed Martin and reviewed by the FBI at each of these interrelated\ndesign reviews. In addition, the schedule needs to allow adequate\ntime for the following:\n\n     \xe2\x80\xa2   The FBI must review and comment on the documents;\n\n     \xe2\x80\xa2   Lockheed Martin must incorporate the FBI\xe2\x80\x99s comments and\n         resubmit the documents to the FBI; and\n\n     \xe2\x80\xa2   The FBI must verify that Lockheed Martin adequately\n         addressed the FBI\xe2\x80\x99s comments.\n\n      As discussed in the previous finding, the lack of time between\ndesign reviews led to incomplete design documents that did not\nincorporate all of the FBI\xe2\x80\x99s technical comments. In turn, the\nincomplete design documents led to problems during the testing phase\nof the project. In the subsequent phases of Sentinel, the FBI has\ncommitted itself to allowing sufficient time between design reviews.\n\nConstruction and Maintenance of Schedule\n\n      According to the Sentinel Program Manager, the Phase 1\nschedule was extremely tight from its inception. In addition, some of\nthe tasks were scheduled out of order. Another issue that the PMO\nand Lockheed Martin encountered was starting and ending dates for\n                                 - 64 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\ntasks were entered into the schedule as hard constraints. This means\nthat even if the project progressed at a faster rate than planned, tasks\ncould not be recorded as started until the date specified. This, in\neffect, prevented the project from ever achieving an \xe2\x80\x9cahead of\nschedule\xe2\x80\x9d status.\n\n       These hard constraints were also applied to task end dates. As a\nresult, whether or not the tasks had actually been completed and\nsigned off on by the PMO, on the end date identified in the schedule\nthe tasks were automatically listed as complete. The Sentinel Program\nManager said that Lockheed Martin personnel mismanaged the\nschedule in this way because of intense pressure from FBI and\nLockheed Martin managers to stay on schedule. This misidentification\nof task status contributed to further delays and provided poor visibility\ninto the project\xe2\x80\x99s actual status.\n\n        For future phases, the PMO plans to work with Lockheed Martin\nto ensure a more accurate assessment of progress. The PMO and\nLockheed Martin also plan to reduce the number of hard constraints\nfrom the schedule to improve the accuracy of progress measurement.\nThe removal of constraints will also allow for the adjustment of task\nend dates in the event the project falls behind schedule. During Phase\n1, when a task that affected the completion of a related task fell\nbehind schedule, the end date of the related task remained static.\nThis resulted in schedule compression and creation of an unrealistic\nschedule. The removal of hard constraints will allow for greater\nvisibility into how delays affect the completion of other tasks and\nultimately the entire phase.\n\nActions Taken on Previous OIG Recommendations\n\n       During our audit, we examined the FBI\xe2\x80\x99s actions to address\nrecommendations we made in our earlier audit reports on Sentinel and\nfound that the FBI was, in general, taking action to resolve our\nconcerns. Based on the FBI\xe2\x80\x99s actions, we closed 5 of the 12\nrecommendations. We also noted that the FBI agreed with the\nremaining recommendations and was in the process of taking\ncorrective action. Our recommendations dealt generally with the FBI\xe2\x80\x99s\nneed to complete required planning and general management\noversight policies and procedures for Sentinel in order to help ensure\nits success.\n\n     In our March 2006 report, The Federal Bureau of Investigation\xe2\x80\x99s\nPre-Acquisition Planning For and Controls Over the Sentinel Case\n                                  - 65 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\nManagement System, we made seven recommendations, of which four\nhave been closed. The remaining three recommendations relate to the\nneed to complete certain planning documents, the staffing of the\nSentinel PMO, and Sentinel training. In addressing these\nrecommendations, we found that the FBI:\n\n      \xe2\x80\xa2   continued to work on completing its system security plan\n          and completed its independent verification and validation\n          (IV&V) plan, which partially closes this recommendation;\n\n      \xe2\x80\xa2   filled 70 of 75 positions within the Sentinel PMO, with three\n          of the vacancies tentatively filled; and\n\n      \xe2\x80\xa2   continued work on a comprehensive training plan with\n          schedule and cost estimates.\n\n       In our December 2006 report, Sentinel Audit II: Status of the\nFederal Bureau of Investigation\xe2\x80\x99s Case Management System, we made\nfive recommendations, one of which has been closed. The four\nremaining recommendations were that the FBI should: (1) develop\ncontingency plans as required by the Sentinel Risk Management Plan,\n(2) provide experienced contractors to conduct an IV&V process\nthroughout the Sentinel project, (3) determine the appropriate amount\nof management reserve for each phase of the project, and (4) fill the\nvacant Sentinel PMO positions needed to complete Phase 1 of the\nproject.\n\n       In performing the fieldwork for our current audit, and as\nmentioned earlier in this report, we found that the FBI has improved\nits development of contingency plans and triggers as required by the\nSentinel Risk Management Plan. With the implementation of Phase 1,\nthere is no longer a need to address the risks related to that phase.\nHowever, we continue to have concerns regarding the FBI\xe2\x80\x99s\nimplementation of its Risk Management Plan, as well as some of the\nrisks we noted earlier concerning the future Phases of Sentinel, and we\nwill continue to monitor their implementation during future audit work.\n\n        Also noted earlier in this report, we found that the FBI has begun\nutilizing a contractor, Booz Allen, to perform IV&V of the Sentinel\nproject. We found that the IV&V process has resulted in numerous\nrecommendations to Sentinel Phase 1 development. Based on our\nexamination of the FBI\xe2\x80\x99s implementation of this process, this\nrecommendation can be closed through our normal audit follow-up\nprocess.\n                                  - 66 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n\n       Because each of Sentinel\xe2\x80\x99s four phases will have a separate task\norder with its own funding, and planning for Phase 2 continued after\nour fieldwork ended, we were unable to determine whether the FBI is\nestablishing a management reserve based on an assessment of the\nproject risks for each phase and for the project overall. However, we\nwill continue to monitor the FBI\xe2\x80\x99s utilization of management reserves\nin future audit work. After the completion of Phase 2 planning, the\nmethodology currently being used by the FBI to develop management\nreserves should become more apparent.\n\n       Due to the importance of the PMO in the oversight of Sentinel,\nwe recommended in both of our previous Sentinel audits that the PMO\ncomplete hiring as soon as possible for the vacant PMO positions. The\nPMO plays a critical role in assuring that the FBI implements a case\nmanagement system that meets its needs. The PMO\xe2\x80\x99s contract and\nprogram execution responsibilities include: (1) cost, schedule, and\nperformance oversight; (2) LCMD project reviews; (3) award fee\nevaluations; (4) primary contractor\xe2\x80\x99s documentation review and\nacceptance; (5) requirements and risk management; and (6) budget\nand financial management. In light of these responsibilities, having a\nqualified, dedicated PMO staff focused on program execution is critical\nto the success of the Sentinel project.\n\n       Since our December 2006 audit the PMO has increased its\nplanned size from 73 positions to 76 positions, reallocated positions\namong PMO units, and was in the process of filling 3 positions. As of\nMay 2007, the PMO consisted of 70 of the 76 personnel identified in\nthe FBI\xe2\x80\x99s Sentinel Staffing Plan (92 percent) as required to properly\noversee the project. According to the FBI, the objective in staffing the\nPMO is to form an integrated team of subject matter experts from\ngovernment, federally funded research and development centers, and\nsystem engineers and technical assistance contractors to maximize\nprogram expertise. 60 The following table summarizes the PMO\xe2\x80\x99s\nstaffing level as of May 15, 2007, and shows the progress the FBI has\nmade in staffing the office since October 2006.\n\n\n\n\n      60\n           Federally funded research and development centers are nonprofit\norganizations sponsored and funded by the U.S. government to assist government\nagencies with scientific research and analysis, systems development, and systems\nacquisition.\n                                        - 67 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n             SENTINEL PMO STAFFING REQUIREMENTS\n\n                                                      Staff on          Staff on\n                                   Planned             Board,          Board, May\nOrganizational Units\n                                   Staff (a)          October           2007 (b)\n                                                        2006\n\nPMO Front Office                       11                 11                 10\n\nOrganization Change\n                                        6                  3                  4\nManagement Team\nBusiness Management                    11                 13                 11\nProgram Integration                    10                 10                  9\nSystem Development                     28                 25                 28\nTransition                              5                  4                  5\nOperations &\n                                        5                  0                  3\nMaintenance\n Total                                 76                 65                 70\nSource: The FBI\n\nNotes: (a) Since October 2006, the Sentinel PMO has revised the total planned staff\n           from 73 to 76. Also, the plan does not include individuals who are on\n           temporary duty assignment to the project.\n\n       (b) The number of staff on board includes three positions for which the FBI\n           has selected candidates and is in the process of hiring.\n\n       (c) In our previous report, we identified this unit as two separate units;\n           Program Leadership, and Direct Report Staff.\n\nFor a more complete description of PMO staff and their duties, see\nAppendix 8.\n\n        Of the current vacancies, one is a government position \xe2\x80\x94 a\nSupervisory Special Agent \xe2\x80\x94 and one is a contractor position \xe2\x80\x94 an\nOrganizational Change Management (OCM) expert. Hiring for the\nother position \xe2\x80\x94 a System Engineer \xe2\x80\x94 has been delayed until Phase 3.\nThe Chief of the Business Management Unit said that a setback in\nfilling PMO positions quickly occurred when the FBI instituted a hiring\nfreeze as a result of the FY 2007 continuing resolution. He said that\nanother setback to filling open PMO positions quickly is the amount of\ntime that is required to execute and adjudicate Top Secret clearance\n\n                                        - 68 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nbackground checks; he said that the PMO has been submitting its\nbackground check requests in expedited status.\n\n       The following table shows the changes in the number of planned\nstaff from October 2006 to May 2007.\n\n        Changes in Sentinel PMO Staffing Requirements,\n                  October 2006 to May 2007\n\n                                             Change in\n              Organizational Unit             Planned\n                                                Staff\n              PMO Front Office                   +1\n              Organization Change\n                                                 +2\n              Management Team\n              Business Management                -3\n              System Development                 +3\n                Total                            +3\n             Source: The FBI\n\n      The FBI Deputy CIO said he thinks the PMO is \xe2\x80\x9cpretty lean\xe2\x80\x9d in\ncomparison to other PMOs he has seen. He said that he and the\nSentinel Program Manager looked at best practices while developing\nthe structure of the PMO, but were also mindful that while they could\nselect whomever they wanted internally in the FBI to work at the PMO,\nthis would also put another component of the FBI at a disadvantage by\nlosing top personnel. For expertise in areas in which the government\nwas weak, contractors were chosen. The FBI Deputy CIO said that he\nis happy with the PMO\xe2\x80\x99s return on investment thus far in the project.\n\n      The FBI Deputy CIO also said that as the Sentinel project\nprogresses, the focus areas and personnel needs of the PMO will shift.\nFor example, Operations and Maintenance (O&M) will become more of\na focus, especially by the end of Phase 2. Since this will result in the\nneed for a different skill set than is currently available at the PMO,\nthere will be changes in personnel. Fewer designers will be needed,\nand more people to maintain the system will be required. The FBI\nDeputy CIO said the PMO will probably start trading personnel out of\nthe PMO as the need arises.\n\n     While we concluded that the FBI is making progress in\nimplementing the recommendations we have made during our prior\n                                  - 69 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\naudits, we will continue to monitor the progress made by the FBI in\nimplementing the remaining open recommendations through our audit\nfollow-up process and through our future Sentinel work.\n\nConclusion\n\n       The FBI has a broad range of management controls and\nprocesses that should aid it in managing the development of Sentinel.\nOf the four controls and processes we reviewed in depth, we found\nthat the FBI has made significant progress in implementing each.\nHowever, the FBI\xe2\x80\x99s experience with Phase 1 demonstrates the high\npriority the FBI must assign to the entire range of management\ncontrols and processes over the project. During Phase 1, issues the\nFBI experienced with three of the four of controls \xe2\x80\x93 earned value\nmanagement, risk management, and the bill of materials \xe2\x80\x93 show that\nadditional improvements need to made to allow the FBI to adequately\nmonitor cost, schedule, and performance of future phases of Sentinel.\n\n      Lockheed Martin and the FBI will likely face many of the issues\nencountered in Phase 1 during subsequent phases of Sentinel\xe2\x80\x99s\ndevelopment. For example, even though the FBI plans early\nprototyping to reduce the likelihood of problems when integrating\nCOTS components, the next phase of Sentinel will likely encounter\nunexpected problems integrating the various COTS components into\nlegacy FBI systems in a way that meets the FBI\xe2\x80\x99s needs. However,\nrigorous implementation of processes and lessons learned is necessary\nto minimize significant deviations from cost, schedule, technical, or\nperformance baselines.\n\nRecommendations\n\n     We recommend that the FBI:\n\n     3.   Collect and report EVM data for both the performance\n          measurement baseline approved at the integrated baseline\n          review as well as the revised performance measurement\n          baseline.\n\n     4.   Reconcile the discrepancy between the costs Lockheed\n          Martin reported for Phase 1 with Lockheed Martin\xe2\x80\x99s EVM\n          data, and develop and implement policies and procedures to\n          prevent any future discrepancies.\n\n\n                                - 70 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c            REDACTED FOR PUBLIC RELEASE\n\n\n5.   Develop and implement effectiveness measures for all risk\n     mitigation plans.\n\n6.   Ensure that personnel assigned to manage Sentinel risks\n     devote sufficient time to the risk and have the experience\n     and authority to adequately manage the risk.\n\n7.   Document and track project issues, risks that have\n     occurred, as well as the plan to resolve those issues and\n     their ultimate resolution.\n\n8.   Implement policies and procedures to ensure that any\n     changes to the bill of materials receive proper authorization\n     and that the changes can be reconciled to the bill of\n     materials submitted in Lockheed Martin\xe2\x80\x99s proposal.\n\n9.   Implement policies and procedures to ensure that materials\n     contained in Lockheed Martin invoices can be reconciled to\n     the bill of materials or an FBI approval for a change to the\n     bill of materials.\n\n\n\n\n                            - 71 -\n\n            REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n               STATEMENT ON COMPLIANCE WITH\n                   LAWS AND REGULATIONS\n\n      This audit assessed the FBI\xe2\x80\x99s implementation of the contract for\nits Sentinel case management project. In connection with the audit,\nas required by the Government Auditing Standards, we reviewed\nmanagement processes and records to obtain reasonable assurance\nthat the FBI\xe2\x80\x99s compliance with laws and regulations that, if not\ncomplied with, in our judgment, could have a material effect on FBI\noperations. Compliance with laws and regulations applicable to the\nFBI\xe2\x80\x99s management of the Sentinel project is the responsibility of the\nFBI\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of:\n\n     \xe2\x80\xa2   OMB Circular A-11 and Memorandum M-05-23,\n     \xe2\x80\xa2   Executive Order 13356 (superseded by "Executive Order\n         13388: Further Strengthening the Sharing of Terrorism\n         Information to Protect Americans," dated October 25, 2005),\n     \xe2\x80\xa2   DOJ Order 2880.1b,\n     \xe2\x80\xa2   FBI Life Cycle Management Directive,\n     \xe2\x80\xa2   Department of Defense Programmer\xe2\x80\x99s Guide to the Integrated\n         Baseline Review,\n     \xe2\x80\xa2   American National Standards Institute/Electronic Industries\n         Alliance Standard 748A: Earned Value Management Systems,\n         and\n     \xe2\x80\xa2   National Defense Industrial Association Earned Value\n         Management System Intent Guide and Surveillance Guide.\n\n      Our audit identified no areas where the FBI was not in\ncompliance with the laws and regulations referred to above. With\nrespect to transactions that were not tested, nothing came to our\nattention that caused us to believe that FBI management was not in\ncompliance with the laws and regulations cited above.\n\n\n\n\n                                 - 72 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n               STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the FBI\xe2\x80\x99s contract for its\nSentinel project, we considered the FBI\xe2\x80\x99s internal controls for the\npurpose of determining our audit procedures. This evaluation was not\nmade for the purpose of providing assurance on the internal control\nstructure as a whole. However, we noted certain matters that we\nconsider to be reportable conditions under the Government Auditing\nStandards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\ninternal control structure that, in our judgment, could adversely affect\nthe FBI\xe2\x80\x99s ability to manage its Sentinel project. During our audit, we\nfound the following internal control deficiencies.\n\n      \xe2\x80\xa2   EVM cost data needs to be reconciled with the costs incurred\n          that was reported by Lockheed Martin, the prime contractor\n          for the development of Sentinel.\n\n      \xe2\x80\xa2   Contingency plans for highly ranked project risks need to be\n          developed.\n\n      \xe2\x80\xa2   Measurements of effectiveness for risk mitigation plans need\n          to be developed.\n\n      \xe2\x80\xa2   Project issues (risks that have occurred) and their resolution\n          are not tracked.\n\n      Because we are not expressing an opinion on the FBI\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the FBI in contracting for the Sentinel project.\nThis restriction is not intended to limit the distribution of this report,\nwhich is a matter of public record.\n\n\n\n\n                                   - 73 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n                                                          APPENDIX 1\n\n            OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjective\n\n      The objectives of this audit were to determine: (1) the status of\nthe Sentinel project, including the FBI\xe2\x80\x99s monitoring of the contractor\xe2\x80\x99s\nperformance during Phase 1; (2) the planning for and progress of\nPhase 2; and (3) the resolution of remaining concerns identified in our\nprevious two audit reports.\n\nScope and Methodology\n\n      The audit was performed in accordance with the Government\nAuditing Standards, and included tests and procedures necessary to\naccomplish the audit objectives. We conducted work at FBI\nheadquarters in Washington, D.C., and at the FBI Sentinel Program\nManagement Office in McLean, Virginia.\n\n      To perform our audit, we interviewed officials from the FBI,\nOffice of the Director of National Intelligence (DNI), the Department of\nJustice, and the Office of Management and Budget. We also\ninterviewed officials from Lockheed Martin and other contractors\nsupporting the PMO. We reviewed documents related to the Sentinel\ncontract; cost and budget documentation; Sentinel plans, processes\nand guidelines; prior OIG Sentinel reports; and other reports from the\nOIG and other agencies on the FBI\xe2\x80\x99s information technology.\n\n      To evaluate the FBI\xe2\x80\x99s implementation of the Sentinel contract,\nwe examined the contract as well as associated amendments and\ndocumentation, underlying cost estimates, and methodologies for\ncontract modifications. We also examined actual costs, progress\ntoward completion of Phase 1, and planning for Phase 2. Additionally,\nwe interviewed FBI officials responsible for contract implementation.\n\n       To update issues identified in the OIG\xe2\x80\x99s December 2006 Sentinel\naudit report, we interviewed responsible FBI and contractor officials\nand reviewed plans and procedures for cost tracking, risk\nmanagement, contingency planning, IV&V, and PMO staffing. We also\ninterviewed FBI officials and obtained the updated status on issues\nrelating to information sharing and EVM.\n\n\n                                 - 74 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n                                                       APPENDIX 2\n\n                             ACRONYMS\n\nACS          Automated Case Support\nBooz Allen   Booz Allen Hamilton\nBOM          Bill of Materials\nCIO          Chief Information Officer\nCMMI         Capability Maturity Model Integration\nCOTR         Contracting Officer\xe2\x80\x99s Technical Representative\nCOTS         Commercial Off-The-Shelf\nECF          Electronic Case File\nEVM          Earned Value Management\nFBI          Federal Bureau of Investigation\nGAO          Government Accountability Office\nIBR          Integrated Baseline Review\nICM          Investigative Case Management\nIMS          Integrated Master Schedule\nIT           Information Technology\nITIM         Information Technology Investment Management\nIV&V         Independent Verification and Validation\nLCMD         Life Cycle Management Directive\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPKI          Public Key Infrastructure\nPMO          Program Management Office\nRCD          Requirements Clarification Document\nRCR          Requirements Clarification Review\nSRS          System Requirements Specifications\nUNI          Universal Index\nVCF          Virtual Case File\nWACS         Web-Enabled Automated Case Support\n\n\n\n\n                                - 75 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n                                                           APPENDIX 3\n\n         THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT DIRECTIVE\n\n      The FBI\xe2\x80\x99s IT Systems Life Cycle Management Directive (LCMD) is\ncomprised of interrelated components that include Life Cycle Phases,\nControl Gate Reviews and Boards, and Project Level Reviews. Because\nSentinel has multiple phases, it will pass many of the life cycle phases,\ncontrol gate reviews, and project level reviews multiple times.\n\nPhases\n\n      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects. During\nthese phases, specific requirements must be met for the project to\nobtain the necessary FBI management approvals to proceed to the\nnext phase.\n\nControl Gate Reviews & Boards\n\n      The approvals to proceed from one phase to the next occur\nthrough seven control gates, where management boards meet to\ndiscuss and approve or disapprove a project\xe2\x80\x99s progression to future\nphases of development and implementation. The seven control-gate\nreviews provide management control and direction, decision-making,\ncoordination, confirmation of successful performance of activities, and\ndetermination of a system\xe2\x80\x99s readiness to proceed to the next life cycle\nphase.\n\nProject-level Reviews\n\n      Project-level Reviews support the IT Systems Life Cycle process.\nProject Level Reviews determine program or project readiness to\nproceed to the next activities of the project life cycle. Each Project\nLevel Review feeds information up to the Executive-level Control\nGates, as data is developed and milestones are completed.\n\n\n\n\n                                  - 76 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n                          FBI LCMD PHASES\n\n   PHASE NAME                                DESCRIPTION\n\n1. Concept Exploration     Identifies the mission need, develops and\n                           evaluates alternate solutions, and develops the\n                           business plan.\n\n2. Requirements            Defines the operational, technical and test\n   Development             requirements, and initiates project planning.\n\n3. Acquisition Planning    Allocates the requirements among the\n                           development segments, researches and applies\n                           lessons learned from previous projects, identifies\n                           potential product and service providers, and\n                           identifies funding.\n\n4. Source Selection        Solicits and evaluates proposals and selects the\n                           product and service providers.\n\n5. Design                  Creates detailed designs for system components,\n                           products, and interfaces; establishes testing\n                           procedures for a system\xe2\x80\x99s individual components\n                           and products and for the testing of the entire\n                           system once completed.\n\n6. Development and         Produces and tests all system components,\n   Test                    assembles and tests all products, and plans for\n                           system testing.\n\n7. Implementation and      Executes functional, interface, system, and\n   Integration             integration testing; provides user training; and\n                           accepts and transitions the product to operations.\n\n8. Operations and          Maintains and supports the product, and manages\n   Maintenance             and implements necessary modifications.\n\n9. Disposal                Shuts down the system operations and arranges\n                           for the orderly disposition of system assets.\n\n\n\n\n                                  - 77 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              FBI LCMD CONTROL GATE REVIEWS\n\n GATE                               DESCRIPTION\n\nGate 1   System Concept Review approves the recommended system concept\n         of operations and occurs at the end of Phase 1 of LCMD.\n\nGate 2   Acquisition Plan Review approves the Systems Specification and\n         Interface Control documents as developed in Phase 2 and the\n         approach and resources required to acquire the system as defined in\n         the Acquisition Plan as developed in Phase 3.\n\nGate 3   Final Design Review approves the build-to and code-to documentation\n         and associated draft verification procedures. It also ensures that the\n         design presented can be produced and will meet its design-to\n         specification at verification. The gate review occurs after the\n         contractor is selected in Phase 4 and system design is completed in\n         Phase 5.\n\nGate 4   Deployment Readiness Review approves the readiness of the system\n         for deployment in the operational environment. The gate review\n         occurs after the system is developed and tested in Phase 6. Approval\n         through Gate 4 signifies readiness for system implementation.\n\nGate 5   System Test Readiness Review verifies readiness to perform an\n         official system-wide data gathering verification test for either\n         qualification or acceptance. The gate review occurs mid-way through\n         Phase 7.\n\nGate 6   Operational Acceptance Review approves overall system and product\n         validation by obtaining customer acceptance and determining\n         whether the operations and maintenance organization agrees to, and\n         has the ability to, support continuous operations of the system. The\n         gate review occurs at the end of Phase 7.\n\nGate 7   Disposal Review authorizes termination of the Operations and\n         Maintenance life cycle phase and disposes of system resources. The\n         gate review occurs at the end of Phase 8 and results in Phase 9.\n\n\n\n\n                                   - 78 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n\n           EXECUTIVE REVIEW BOARDS RESPONSIBLE\n                FOR CONTROL GATE REVIEWS\n\nNew FBI Process for Overseeing IT Projects\n\n      In November 2006, a new FBI IT governance secretariat began\noperations. The governance secretariat established several working\ngroups to assess an IT project each time it requests approval to pass\nthrough an LCMD gate. Based on the need for varying expertise, the\nrole of each working group varies according to the LCMD gate, but the\nentire process requires input from the following working groups: the\nInvestment Project Review Working Group, Technical Review Working\nGroup, Enterprise Architecture Working Group, and the Configuration\nManagement Quality Assurance Working Group.\n\nAssessments Under New Governance Process\n\n      As Sentinel approaches an LCMD gate, the Sentinel PMO works\nwith the working group responsible for doing assessments for that\ngate. LCMD control gate documentation is normally submitted\n3 weeks in advance of the final assessment for review.\n\n       The cognizant working group has 3 days to provide a preliminary\nassessment of the documentation. To save resources and time, the\nFBI will cancel the formal gate review if the working group discovers\nsignificant issues during the preliminary assessment. If a project\xe2\x80\x99s\nmanager disagrees with the working group\xe2\x80\x99s preliminary assessment,\nthe Chief Technology Officer makes a determination.\n\n      If a project passes the preliminary assessment, the working\ngroups have 10 days to conduct a full assessment. The executive\nsummaries of the working groups are compiled along with conditions\nnecessary for the project to clear the gate, and a formal gate review\nmeeting is conducted, during which one of the following four FBI IT\nDecision Board decides whether the project should clear the gate.\n\n     \xe2\x80\xa2   The Investment Management Board oversees the System\n         Concept Review (Control Gate 1).\n\n     \xe2\x80\xa2   The Project Review Board oversees the Acquisition Plan\n         Review (Control Gate 2) and the Disposal Review (Control\n         Gate 7).\n\n                                 - 79 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n     \xe2\x80\xa2   The Technical Development and Deployment Board oversees\n         the Final Design Review (Control Gate 3), the Deployment\n         Readiness Review (Control Gate 4), the System Test\n         Readiness Review (Control Gate 5), and the Operational\n         Acceptance Review (Control Gate 6).\n\nPrevious FBI Process for Overseeing IT Projects\n\n      The FBI\xe2\x80\x99s previous IT governance system did not require working\ngroup assessments of a project\xe2\x80\x99s documentation at each LCMD control\ngates. However, under the old system, the Technical Review Board\nwas required to review the project at Gate 3, the Final Design Review.\n\n     \xe2\x80\xa2   The IMPRB leads the System Concept Review and the\n         Acquisition Plan Review (Control Gates 1 and 2) and ensures\n         that all IT acquisitions are aligned and comply with FBI\n         policies, strategic plans, and investment management\n         requirements.\n\n     \xe2\x80\xa2   The Technical Review Board leads the Final Design Review\n         (Control Gate 3) and ensures that IT systems comply with\n         technical requirements and meet FBI needs.\n\n     \xe2\x80\xa2   The Change Management Board leads the Deployment\n         Readiness Review, System Test Readiness Review,\n         Operational Acceptance Review and the Disposal Review\n         (Control Gates 4 through 7) and controls and manages\n         developmental and operational efforts that change the FBI\'s\n         operational IT environment.\n\n     \xe2\x80\xa2   The Enterprise Architecture Board ensures that IT systems\n         comply with Enterprise Architecture requirements.\n\n     \xe2\x80\xa2   The IT Policy Review Board establishes, coordinates,\n         maintains and oversees implementation of IT policies.\n\n\n\n\n                                - 80 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n                   PROJECT LEVEL REVIEWS:\n      CONCEPT EXPLORATION PHASE THROUGH DESIGN PHASE\n\n     REVIEW NAME                              DESCRIPTION\n\n1. Mission Needs Review    Examines the user need or technological\n                           opportunity, the deficiencies in the current set of\n                           systems, alternative and the proposed solution, and\n                           a business case or rationale for further investigating\n                           changes to the FBI\xe2\x80\x99s information systems.\n\n2. System Specification    The decision point to proceed with the development\n   Review                  of an Acquisition Plan, the allocation of high level\n                           system requirements to segment specifications, and\n                           the development of Project Plans that will manage\n                           the acquisition.\n\n3. Source Selection        Approves source selection results and authorizes\n   Acquisition Review      contract negotiations.\n\n4. Contract                The first review between the customer and the\n   Implementation Review   solution provider following a contract award.\n\n5. Requirements            Ensures the solution provider has a full\n   Clarification Review    understanding of the requirements for the system or\n                           segment and can articulate this understanding\n                           through proposed implementations of the\n                           requirement.\n\n6. Design Concept Review   Technical review of the decomposition of the system\n                           or product (hardware, software, and manual\n                           operations).\n\n7. Preliminary Design      Can be a single event or spaced out over time\n   Review                  during the Design Phase to cover logical groupings\n                           of configuration items. The review proves that the\n                           concept and the specification for the concept are\n                           feasible and will satisfy higher level requirements\n                           allocated to it, and to approve the preliminary\n                           design-to specifications and associated verification\n                           plans. All hardware, software, support equipment,\n                           facilities, personnel, and tooling should be reviewed\n                           in descending order of system to assembly.\n\n\n                                  - 81 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n     REVIEW NAME                                 DESCRIPTION\n\n8. Critical Design Review    Approves the build-to and code-to documentation\n                             and associated draft verification procedures, to\n                             ensure that the design presented can be produced,\n                             and that when built is expected to meet its design-to\n                             specification at verification.\n\n9. Product Test Readiness    Series of technical reviews at which the customer\n   Review                    concurs that the solution provider is ready to\n                             conduct official "sell-off" tests during which official\n                             verification data will be produced.\n\n10. Site Test Readiness      Technical review at which the customer concurs that\n    Review                   the supplier is ready to conduct official "sell-off"\n                             tests during which official verification data will be\n                             produced.\n\n11. Site Acceptance Review   Technical review where customer organization\n                             accepts the system or segment delivered to the site.\n\n12. Operational Readiness    Technical review between the Project Office and the\n    Review                   product user to verify readiness for system\n                             validation required by the Operational Readiness\n                             Plan developed in compliance with the Mission\n                             Requirements Concept of Operations Document at\n                             the outset of the project.\n\n13. Operational              Tests the operational capability of the system from a\n    Acceptance Test          deployed user perspective. Becomes the basis for\n                             government acceptance of the Phase 1 product.\n\n14. Deployment               Provides the final approval ("go-ahead") to deploy\n    Acceptance Review        the Phase 1 system.\n\n\n\n\n                                    - 82 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n           - 83 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n                                                           APPENDIX 4\n\n                   PRIOR REPORTS ON THE FBI\xe2\x80\x99S\n                    INFORMATION TECHNOLOGY\n\n      Below is a listing of relevant reports discussing the FBI\xe2\x80\x99s\ninformation technology (IT) systems. These include reports issued by\nthe Department of Justice Office of the Inspector General (OIG), the\nGovernment Accountability Office (GAO), and by other external entities\nas well as FBI internal reports.\n\nPrior OIG Reports on FBI Case Management Efforts\n\n      In December 2006, the OIG issued a report entitled, Sentinel\nAudit II: Status of the Federal Bureau of Investigation\xe2\x80\x99s Case\nManagement System. The report stated that the FBI made progress\naddressing concerns previously reported. The OIG recommended that\nthe FBI take the following steps:\n\n     \xe2\x80\xa2   ensure that the management reserve is based on an\n         assessment of project risk for each phase and for the project\n         overall,\n\n     \xe2\x80\xa2   periodically update the estimate of total project costs as\n         actual cost data is available,\n\n     \xe2\x80\xa2   complete contingency plans as required by the Sentinel Risk\n         Management Plan,\n\n     \xe2\x80\xa2   ensure that the independent verification and validation\n         process is conducted through project completion, and\n\n     \xe2\x80\xa2   complete hiring as soon as possible for the vacant Project\n         Management Office (PMO) positions needed during the\n         current project phase.\n\n      In March 2006, the OIG issued a report entitled The Federal\nBureau of Investigation\xe2\x80\x99s Pre-Acquisition Planning for and Controls\nOver the Sentinel Case Management System. The report found that\nthe FBI had taken important steps to address its past mistakes in\nplanning for the development of Sentinel. The report identified the\nfollowing areas of concern:\n\n\n                                  - 84 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n     \xe2\x80\xa2   the incomplete staffing of the PMO,\n\n     \xe2\x80\xa2   the FBI\xe2\x80\x99s ability to reprogram funds to complete the second\n         phase of the project without jeopardizing its mission-critical\n         operations,\n\n     \xe2\x80\xa2   Sentinel\xe2\x80\x99s ability to share information with external\n         intelligence and law enforcement agencies and provide a\n         common framework for other agencies\xe2\x80\x99 case management\n         systems,\n\n     \xe2\x80\xa2   the lack of an established Earned Value Management (EVM)\n         process,\n\n     \xe2\x80\xa2   the FBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs, and\n\n     \xe2\x80\xa2   the lack of complete documentation required by the FBI\xe2\x80\x99s\n         information technology investment management (ITIM)\n         processes.\n\n      The OIG concluded that these areas of concern required action\nand continued monitoring by the FBI, the OIG, and other interested\nparties.\n\n      In February 2005, the OIG issued a report entitled, The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information\nTechnology Modernization Project, which encompassed Sentinel\xe2\x80\x99s\npredecessor, the Virtual Case File (VCF). The OIG recommended the\nFBI take the following steps:\n\n     \xe2\x80\xa2   Replace the obsolete ACS system as quickly and as cost\n         effectively as feasible.\n\n     \xe2\x80\xa2   Reprogram FBI resources to meet the critical need for a\n         functional case management system.\n\n     \xe2\x80\xa2   Freeze the critical design requirements for the case\n         management system before initiating a new contract and\n         ensure that the contractor fully understands the requirements\n         and has the capability to meet them.\n\n     \xe2\x80\xa2   Incorporate development efforts for the VCF into the\n         development of the requirements for any successor case\n         management system.\n                                  - 85 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n\n      \xe2\x80\xa2    Validate and improve as necessary financial systems for\n           tracking project costs to ensure complete and accurate data.\n\n      \xe2\x80\xa2    Develop policies and procedures to ensure that future\n           contracts for IT-related projects include defined requirements,\n           progress milestones, and penalties for deviations from the\n           baselines.\n\n      \xe2\x80\xa2    Establish management controls and accountability to ensure\n           that baselines for the remainder of the current user\n           applications contract and any successor Trilogy-related\n           contracts are met.\n\n      \xe2\x80\xa2    Apply ITIM processes to all Trilogy-related and any successor\n           projects.\n\n      \xe2\x80\xa2    Monitor the Enterprise Architecture being developed to ensure\n           timely completion as scheduled.\n\n      The report concluded that the difficulties experienced in\ncompleting the Trilogy project were partially attributable to:\n(1) design modifications the FBI made as a result of refocusing its\nmission from traditional criminal investigations to preventing\nterrorism, (2) poor management decisions early in the project,\n(3) inadequate project oversight, (4) a lack of sound IT investment\npractices, and (5) not applying lessons learned over the course of the\nproject.\n\nExternal Reports on FBI Case Management Efforts\n\n      In July 2007, the GAO issued a report on the extent to which the\nFBI had established best practices for acquiring Sentinel and\nestimating the project\xe2\x80\x99s schedule and costs. 61 The GAO concluded that\nthe FBI was managing Sentinel in accordance with several key best\npractices for acquiring IT systems, including practices for evaluating\noffers and awarding contracts. However, the GAO also concluded that\nthe FBI had not established performance and product quality standards\nfor the program management contractors who support the FBI in\noverseeing Sentinel. In addition, the GAO reported that the FBI\xe2\x80\x99s\n\n      61\n          U.S. Government Accountability Office, Information Technology: FBI\nFollowing a Number of Key Acquisition Practices on New Case Management System\nbut Improvements Still Needed, July 2007.\n                                       - 86 -\n\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\npolicies, procedures, and supporting tools that formed the basis of\nSentinel\xe2\x80\x99s schedule and cost estimates did not incorporate several key\nbest practices. As a result, the GAO questioned the reliability schedule\nand cost estimates, noting that the estimates did not include all\nrelevant costs and used inadequately documented methodologies.\n\n       In April 2007, the GAO issued a report entitled, INFORMATION\nSECURITY: FBI Needs to Address Weaknesses in Critical Network\nidentifying ineffective controls in protecting the confidentiality,\nintegrity, and availability of information and information resources.\nThe GAO found that the FBI did not consistently (1) configure network\ndevices and services to prevent unauthorized insider access and\nensure system integrity; (2) identify and authenticate users to prevent\nunauthorized access; (3) enforce the principle of least privilege to\nensure that authorized access was necessary and appropriate;\n(4) apply strong encryption techniques to protect sensitive data on its\nnetworks; (5) log, audit, or monitor security-related events;\n(6) protect the physical security of its network; and (7) patch key\nservers and workstations in a timely manner. Taken collectively, these\nweaknesses place sensitive information transmitted on the FBI\xe2\x80\x99s\nnetwork at risk of unauthorized disclosure or modification, and could\nresult in a disruption of service, increasing the FBI\xe2\x80\x99s vulnerability to\ninsider threats.\n\n      In October 2006, the GAO issued a report entitled,\nINFORMATION TECHNOLOGY: FBI Has Largely Staffed Key\nModernization Program, but Strategic Approach to Managing Program\xe2\x80\x99s\nHuman Capital Is Needed. This report credited the FBI for filling\nalmost all positions in its staffing plan. However, the report also noted\na few key vacancies, and that the staffing plan was not derived using a\ndocumented data-driven methodology and did not provide for\ninventorying the knowledge and skills of existing staff, forecasting\nfuture knowledge and skill needs, analyzing gaps in capabilities\nbetween the existing staff and future workforce needs, and formulating\nstrategies for filling expected gaps.\n\n      In February 2006, the GAO issued a report entitled Weak\nControls over Trilogy Project Led to Payment of Questionable\nContractor Costs and Missing Assets that was critical of the FBI\xe2\x80\x99s\ncontrols over costs and assets of its Trilogy project. The GAO found\nthat the FBI\xe2\x80\x99s review and approval process for Trilogy contractor\ninvoices did not provide an adequate basis for verifying that goods and\nservices billed were actually received and that the amounts billed were\nappropriate, leaving the FBI highly vulnerable to payments of\n                                  - 87 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nunallowable costs. These costs included first-class travel and other\nexcessive airfare costs, incorrect charges for overtime hours, and\ncharges for which the contractors could not document costs incurred.\nThe GAO found unsupported and questionable costs in the amount of\n$10 million. The GAO also found that the FBI failed to establish\ncontrols to maintain accountability over equipment purchased for the\nTrilogy project. According to the GAO, poor property management led\nto 1,205 missing pieces of equipment valued at $7.6 million.\n\n     In April 2005, the House Surveys and Investigations staff issued\nA Report to the Committee on Appropriations, U.S. House of\nRepresentatives, which concluded that:\n\n     \xe2\x80\xa2   VCF development suffered from a lack of program\n         management expertise, disciplined systems engineering\n         practices, and contract management. The project also was\n         affected by a high turnover of Chief Information Officers\n         (CIO) and program managers.\n\n     \xe2\x80\xa2   VCF development was negatively impacted by the FBI\xe2\x80\x99s lack\n         of an empowered and centralized Office of Chief Information\n         Officer and sound business processes by which IT projects are\n         managed.\n\n     \xe2\x80\xa2   The FBI\xe2\x80\x99s decision to terminate VCF was related to\n         deficiencies in the VCF product delivered, failure of a pilot\n         project to meet user needs, and the new direction the FBI\n         planned to take for its case management system.\n\n     \xe2\x80\xa2   The FBI\xe2\x80\x99s IT program management business structure and\n         processes were, for the most part, in place, although some of\n         these processes needed to mature.\n\n       In September 2004, the GAO issued a report entitled,\nInformation Technology: Foundational Steps Being Taken to Make\nNeeded FBI Systems Modernization Management Improvements. This\nreport stated that although improvements were under way and more\nwere planned, the FBI did not have an integrated plan for modernizing\nits IT systems. Each of the FBI\xe2\x80\x99s divisions and other organizational\nunits that manage IT projects performs integrated planning for its\nrespective IT projects. However, the plans did not provide a common,\nauthoritative, and integrated view of how IT investments will help\noptimize mission performance, and they did not consistently contain\nthe elements expected to be found in effective systems modernization\n                                  - 88 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\nplans. The GAO recommended that the FBI limit its near-term\ninvestments in IT systems until the FBI developed an integrated\nsystems and modernization plan and effective policies and procedures\nfor systems acquisition and investment management. Additionally, the\nGAO recommended that the FBI\xe2\x80\x99s CIO be provided with the\nresponsibility and authority to effectively manage IT FBI-wide.\n\n       The National Research Council issued a report in May 2004\nentitled A Review of the FBI\xe2\x80\x99s Trilogy Information Technology\nModernization Program. The report found that the program was not\non a path to success, and identified the following needs:\n\n      \xe2\x80\xa2   valid contingency plans for transitioning from the old case\n          management system to the new one,\n\n      \xe2\x80\xa2   completed Enterprise Architecture,\n\n      \xe2\x80\xa2   adequate time for testing the new system prior to\n          deployment,\n\n      \xe2\x80\xa2   improved contract management processes, and\n\n      \xe2\x80\xa2   expanded IT human resources base.\n\n      The report concluded that the FBI had made significant progress\nin some areas of its IT modernization efforts, such as the\nmodernization of the computing hardware and baseline software and\nthe deployment of its networking infrastructure. However, because\nthe FBI\xe2\x80\x99s IT infrastructure was inadequate in the past, there was still\nan enormous gap between the FBI\xe2\x80\x99s IT capabilities and the capabilities\nthat were urgently needed.\n\n      The report was updated in June 2004 as a result of what the\nCouncil deemed clear evidence of progress being made by the FBI to\nmove ahead in its IT modernization program. This included the\nappointment of a permanent CIO and the formation of a staffed\nprogram office for improved IT contract management. The progress\nbeing made by the FBI appeared to the Council to have been more\nrapid than expected, although many challenges remained. The Council\nalso emphasized that the FBI\xe2\x80\x99s missions constitute increasingly\ninformation-intensive challenges, and the ability to integrate and\nexploit rapid advances in IT capabilities will only become more critical\nwith time. The update concluded that even with perfect program\nmanagement and execution, substantial IT expenses on an ongoing\n                                  - 89 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\nbasis are inevitable and must be anticipated in the budget process if\nthe FBI is to maximize the operational leverage that IT offers.\n\nFBI Internal Reports on Case Management\n\n      The FBI hired the Aerospace Corporation to perform an\nassessment of commercial-off-the-shelf (COTS) and government-off-\nthe-shelf systems that could be used in developing a case\nmanagement system and also an Independent Verification and\nValidation of Trilogy\xe2\x80\x99s VCF. In December 2004, the contractor issued\nthe study, which recommended that the FBI look to systems that have\nan emphasis on data sharing. The contractor further recommended\nthat an acquisition strategy be developed that includes an incremental\ndeployment of core capabilities and the incremental addition of such\ncomponents as intelligent search and reporting and specific analytic\ncapabilities.\n\n       The contractor released the Independent Verification and\nValidation of the Trilogy Virtual Case File, Delivery 1: Final Report in\nJanuary 2005. The report recommended discarding the VCF and\nstarting over with a COTS-based solution. The contractor concluded\nthat a lack of effective engineering discipline had led to inadequate\nspecification, design, and development of VCF. Further, the contractor\ncould find no assurance that the architecture, concept of operations\nand requirements were correct or complete, and no assurance that\nthey could be made so without substantial rework. In sum, the\ncontractor reported that VCF was a system whose true capability was\nunknown, and whose capability may remain unknown without\nsubstantial time and resources applied to remediation.\n\nOther OIG Reports on the FBI\xe2\x80\x99s IT\n\n      OIG reports issued over the past 17 years have highlighted\nissues concerning the FBI\xe2\x80\x99s utilization of IT, including its investigative\nsystems. For example, in 1990 the OIG issued a report entitled The\nFBI\xe2\x80\x99s Automatic Data Processing General Controls. This report\ndescribed 11 internal control weaknesses and found that:\n\n      \xe2\x80\xa2 The FBI\xe2\x80\x99s phased implementation of its 10-year Long Range\n        Automation Strategy, scheduled for completion in 1990, was\n        severely behind schedule and may not be accomplished.\n\n      \xe2\x80\xa2 The FBI\xe2\x80\x99s Information Resources Management program was\n        fragmented and ineffective, and the FBI\xe2\x80\x99s Information\n                                   - 90 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n         Resources Management official did not have effective\n         organization-wide authority.\n\n      \xe2\x80\xa2 The FBI had not developed and implemented a data\n        architecture.\n\n      \xe2\x80\xa2 The FBI\xe2\x80\x99s major mainframe investigative systems were labor\n        intensive, complex, untimely, and non-user friendly and few\n        agents used these systems.\n\n       The OIG\xe2\x80\x99s July 1999 special report, The Handling of FBI\nIntelligence Information Related to the Justice Department\xe2\x80\x99s Campaign\nFinance Investigation, reported that FBI personnel were not well-\nversed in the ACS system and other databases.\n\n      A March 2002 OIG report, entitled An Investigation of the\nBelated Production of Documents in the Oklahoma City Bombing Case,\nanalyzed the causes for the FBI\xe2\x80\x99s late delivery of many documents in\nthe Oklahoma City bombing case. This report concluded that the ACS\nsystem was extraordinarily difficult to use, had significant deficiencies,\nand was not the vehicle for moving the FBI into the 21st century. The\nreport noted that inefficiencies and complexities in the ACS, combined\nwith the lack of a true information management system, were\ncontributing factors in the FBI\xe2\x80\x99s failure to provide hundreds of\ninvestigative documents to the defendants in the Oklahoma City\nbombing case.\n\n       In May 2002, the OIG issued a report on the FBI\xe2\x80\x99s administrative\nand investigative mainframe systems entitled the Independent\nEvaluation Pursuant to the Government Information Security Reform\nAct, Fiscal Year 2002. The report identified continued vulnerabilities\nwith management, operational, and technical controls within the FBI.\nThe report stated that these vulnerabilities occurred because the\nDepartment and FBI security management had not enforced\ncompliance with existing security policies, developed a complete set of\npolicies to effectively secure the administrative and investigative\nmainframes, or held FBI personnel responsible for timely correction of\nrecurring findings. Further, the report stated that FBI management\nhad been slow to correct identified weaknesses and implement\ncorrective action and, as a result, many of these deficiencies repeated\nyear after year in subsequent audits.\n\n     In December 2002, the OIG issued a report on The FBI\xe2\x80\x99s\nManagement of Information Technology Investments, which included a\n                                  - 91 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\ncase study of the Trilogy project. The report made 30\nrecommendations, 8 of which addressed the Trilogy project. The\nreport\xe2\x80\x99s focus was on the need to adopt sound investment\nmanagement practices as recommended by the GAO. The report also\nstated that the FBI did not fully implement the management processes\nassociated with successful IT investments. Specifically, the FBI had\nfailed to implement the following critical processes:\n\n     \xe2\x80\xa2 defining and developing IT investment boards,\n\n     \xe2\x80\xa2 following a disciplined process of tracking and overseeing\n       each project\xe2\x80\x99s cost and schedule milestones over time,\n\n     \xe2\x80\xa2 identifying existing IT systems and projects,\n\n     \xe2\x80\xa2 identifying the business needs for each IT project, and\n\n     \xe2\x80\xa2 using defined processes to select new IT project proposals.\n\nThe audit found that the lack of critical IT investment management\nprocesses for Trilogy contributed to missed milestones and led to\nuncertainties about cost, schedule, and technical goals.\n\n\n\n\n                                - 92 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c              REDACTED FOR PUBLIC RELEASE\n\n\n                                               APPENDIX 5\n\n COMPARISON OF ACS, WACS, AND PHOENIX FUNCTIONALITY\n         TO SENTINEL\xe2\x80\x99S PHASE 1 DELIVERABLES\n\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx   xxxx   xxxx\nSource: FBI\n\n\n\n                            - 93 -\n\n              REDACTED FOR PUBLIC RELEASE\n\x0c                REDACTED FOR PUBLIC RELEASE\n\n\n Comparison of ACS-UNI, WACS, and PHOENIX Functionality to\n               Sentinel\xe2\x80\x99s Phase 1 Deliverables\n\n   Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\n                                     xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       xxxx     xxxx   xxxx\n  Source: FBI\n\n\n\n\n                            - 94 -\n\n                REDACTED FOR PUBLIC RELEASE\n\x0c              REDACTED FOR PUBLIC RELEASE\n\n\nComparison of ACS-ICM, WACS, and PHOENIX Functionality to\n              Sentinel\xe2\x80\x99s Phase 1 Deliverables\n\n xxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\n                                    xxxx    xxxx     xxxx\n\n                           - 95 -\n\n              REDACTED FOR PUBLIC RELEASE\n\x0c              REDACTED FOR PUBLIC RELEASE\n\n\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   xxxx      xxxx      xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx    xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx    xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\n                                   xxxx      xxxx     xxxx\n\n\n\n                           - 96 -\n\n              REDACTED FOR PUBLIC RELEASE\n\x0c              REDACTED FOR PUBLIC RELEASE\n\n\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\n                                 xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     xxxx      xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      xxxx    xxxx     xxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nSource: FBI\n\n\n\n\n                           - 97 -\n\n              REDACTED FOR PUBLIC RELEASE\n\x0c                                  REDACTED FOR PUBLIC RELEASE\n\n\n\n                                                                                               APPENDIX 6\n\n                             INDEPENDENT VERIFICATION AND VALIDATION\n                                   ISSUES AND RECOMMENDATIONS\n\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n              Issue/Risk                               Recommendation                              Status\n1    xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxthey      Xxxxxx-\n     xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx         Xxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          Xxxxxx-\n     xxxxxxxxxxxxxxxxxxxxxxxxxx                                                                  Xxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxinto\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxonce\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.         Xxxxxx-\n                                                                                                 Xxxxxxxxxx\n\n\n\n\n                                                 - - 98 - -\n\n                                  REDACTED FOR PUBLIC RELEASE\n\x0c                                  REDACTED FOR PUBLIC RELEASE\n\n\n\n             Issue/Risk                                 Recommendation                         Status\n2   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      Xxxxxx-\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     Xxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n3   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx.\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   (Xxxxxx Xxxxxx)\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n\n\n                                                 - - 99 - -\n\n                                  REDACTED FOR PUBLIC RELEASE\n\x0c                                 REDACTED FOR PUBLIC RELEASE\n\n\n\n            Issue/Risk                                 Recommendation                          Status\n    xxxxxxxxxxxxxxxxxxxxxxxxxx      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      Xxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n4   xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      Xxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:\n\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                               Xxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      Xxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxxxx\n                                                                                             Xxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxxxx\n                                                                                             Xxxxxxxxxx\n\n\n\n\n                                               - - 100 - -\n\n                                 REDACTED FOR PUBLIC RELEASE\n\x0c                                  REDACTED FOR PUBLIC RELEASE\n\n\n\n             Issue/Risk                                  Recommendation                       Status\n5   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     Xxxxxx \xe2\x80\x93\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.   Xxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n6   xxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       Xxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx       Xxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                 - - 101 - -\n\n                                  REDACTED FOR PUBLIC RELEASE\n\x0c                                  REDACTED FOR PUBLIC RELEASE\n\n\n\n             Issue/Risk                                  Recommendation                        Status\n7   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.       Xxxx\n    xxxxxxxxxxxxxxxxxxxxxxxxxx.\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                               Xxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     Xxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                                Xxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                               Xxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     Xxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                            Xxxxxx Xxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                               Xxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     Xxxxxxxxxx\n                                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n\n\n                                                 - - 102 - -\n\n                                  REDACTED FOR PUBLIC RELEASE\n\x0c                                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                  Recommendation                     Status\n8    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n9    xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx,   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n10   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx,   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                  - - 103 - -\n\n                                   REDACTED FOR PUBLIC RELEASE\n\x0c                                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                Recommendation                           Status\n11   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx         Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n12   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.       Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.       Xxxx\n\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxStart   Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n13   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n                                                  - - 104 - -\n\n                                   REDACTED FOR PUBLIC RELEASE\n\x0c                                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                 Recommendation                      Status\n14   xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                             Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe\n     xxxxxxxxxxxxxxxxxxxxxxxxxx                                                              Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx                                                              Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx)\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n\n                                                 - - 105 - -\n\n                                   REDACTED FOR PUBLIC RELEASE\n\x0c                                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                Recommendation                          Status\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx-   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.       Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n15   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n\n16   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n17   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx                                                              Xxxxxx Xxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                                             Xxxxxx Xxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n18   xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.   Xxxxxx Xxxxxx\n\n19   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                  - - 106 - -\n\n                                   REDACTED FOR PUBLIC RELEASE\n\x0c                                   REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                  Recommendation                     Status\n20   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.   Xxxx\n\n\n\n\n21   xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx.   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n\n\n\n\n                                                  - - 107 - -\n\n                                   REDACTED FOR PUBLIC RELEASE\n\x0c                                      REDACTED FOR PUBLIC RELEASE\n\n\n\n              Issue/Risk                                     Recommendation                     Status\n22   xxxxxxxxxxxxxxxxxxxxxxxxxx       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n     xxxxxxxxxxxxxxxxxxxxxxxxxx       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    Xxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n                                      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n             Source: IV&V Contractor Reports\n\n\n\n\n                                                     - - 108 - -\n\n                                      REDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n                              APPENDIX 7\n\n RISK REGISTER OPEN RISKS\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 109 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 110 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 111 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 112 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 113 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 114 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 115 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 116 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 117 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 118 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 119 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 120 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 121 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0cREDACTED FOR PUBLIC RELEASE\n\n\n\n\n INFORMATION REDACTED\n\n\n\n\n           - 122 -\n\nREDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n                                                          APPENDIX 8\n\n        PMO STAFF POSITIONS AND RESPONSIBILITIES\n\nProgram Leadership\n\n      The Sentinel program leadership consists of a program manager\nand a deputy program manager who are responsible for ensuring the\noverall success of the Sentinel project.\n\nDirect Reporting Staff\n\n     The direct reporting staff includes the following:\n\n        \xe2\x80\xa2   Contract Officer \xe2\x80\x94 oversees all Sentinel contract\n            executions, including contractor task-order compliance,\n            prepares change orders or other contract modifications as\n            required, and also monitors contractual performance.\n\n        \xe2\x80\xa2   Contract Officer Technical Representative \xe2\x80\x94 assists\n            Contracting Officer in technical oversight.\n\n        \xe2\x80\xa2   General Counsel \xe2\x80\x94 provides legal advice to the program\n            manager and deputy program manager.\n\n        \xe2\x80\xa2   Communications \xe2\x80\x94 assists the program manager in\n            relaying program information.\n\nOrganization Change Management\n\n       Organizational Change Management (OCM) is responsible for\npreparing Sentinel users to accept and utilize Sentinel\xe2\x80\x99s capabilities.\nOCM provides a formal path for receiving new user-originated\nrequirements during the implementation of the system. The OCM\nteam includes special agents, intelligence analysts, and professional\nstaff who are on temporary duty assignments to the Sentinel program.\n\nBusiness Management\n\n      The Business Management organizational unit develops and\nmaintains program investments, budget, and spending plans. The\nteam also monitors, analyzes, and reports on the program\xe2\x80\x99s Earned\nValue Management status.\n\n                                - 123 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\nAdministrative Support\n\n     The Administrative Support staff directs the administrative and\nsupport services required by the Program Management Office.\n\nProgram Integration\n\n      The Program Integration staff is responsible for developing and\nmaintaining the Sentinel project baseline and then tracking progress\nand risks against that baseline. This team is also responsible for\ncoordinating external interfaces development plans and dependency\nschedules.\n\nSystem Development.\n\n      The System Development staff is responsible for the overall\nsystem design and its implementation increments. This team is also\nresponsible for the technical performance outcome of the Sentinel\nprogram and is accountable for the systems requirements and the\ndelivery of a system whose technical performance meets users\xe2\x80\x99\nexpectations.\n\nTransition\n\n       The Transition team is responsible for all activities associated\nwith the transition of Sentinel phase capability from its development to\neventual use by the FBI user community.\n\nOperations and Maintenance\n\n       The Operations and Maintenance staff is responsible for the\noperations and maintenance of the deployed Sentinel capabilities until\nit reaches full operation capability. At which time this responsibility\nwill be transferred to the FBI\xe2\x80\x99s Information Technology Operations\nDivision.\n\n\n\n\n                                 - 124 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n                                                                                APPENDIX 9\n\n   THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S RESPONS TO THE\n                      DRAFT REPORT\n                                              U.S. Department of Justice\n\n\n\n                                              Federal Bureau of Investigation\n\n\n                                              Washington, D. C. 20535-0001\n\n                                              August 22, 2007\n\nThe Honorable Glenn A. Fine\nInspector General\nOffice of the Inspector General\nU. S. Department of Justice\nRoom 4322\n950 Pennsylvania Avenue, N.W.\nWashington, D.C. 20530\n\n            Re: WORKING DRAFT AUDIT REPORT - SENTINEL AUDIT III:\n                 STATUS OF THE FEDERAL BUREAU OF INVESTIGATION\'S\n                 CASE MANAGEMENT SYSTEM\n\nDear Mr. Fine:\n\n            The Federal Bureau of Investigation (FBI) appreciates\nyour efforts, and those of your staff, in assessing the progress\nof our SENTINEL Program. As always, the FBI welcomes your\nobservations and final recommendations.\n\n            We have completed our review of your draft report\nentitled "SENTINEL Audit III: Status of The Federal Bureau of\nInvestigation\'s Case Management System." Enclosed is the FBI\'s\nresponse to your preliminary findings and recommendations. The\nresponse has undergone a classification review and sensitivity\nreview and is enclosed with this letter.\n\n            Please feel free to contact me on 202-324-6165, or Ms.\nRobin Davis of my staff should you have any questions. Ms. Davis\nmay be reached on (202) 324-2866.\n\n\n                                          Sincerely,\n\n\n\n\n                                          Zalmai Azmi\n                                          Chief Information Officer\n\nEnclosure\n                                    - 125 -\n\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                           REDACTED FOR PUBLIC RELEASE\n\n                            Federal Bureau of Investigations (FBI)\n                        Response to the Department of Justice (DOJ)\n                 Office of the Inspector General (OIG) Draft Audit Report\n             SENTINEL Audit III: Status of the Federal Bureau of Investigation\'s\n                                 Case Management System\n\n\nResponses to Recommendations:\n\nThe FBI concurs with the recommendations of the DOJ OIG\'s Audit Report and has\nalready taken positive measures to incorporate the recommendations in Program\nManagement Office (PMO) operations. The following comments are provided:\n\nFinding 1: Phase 1, Schedule, Cost, and Performance:\n\nRecommendation #1: Reconsider the four-phase approach to developing SENTINEL to\nlimit the scope of future phases to allow them to be completed in 9 months or less.\n\n        FBI Response: Completed. During a meeting with the DOJ OIG, the FBI OCIO,\nthe SENTINEL Program Manager (PM), SENTINEL Deputy PM, and SENTINEL System\nDevelopment Unit Chief on April 23, 2007, the philosophy of waterfall and incremental\nmethodologies was discussed based on Phase 1 lessons learned. At that time, the FBI\ninformed the DOJ OIG that it planned to modify its methodology to provide users with\ncapabilities at a more rapid pace rather than delivering all capabilities at the end of a phase.\n\n         In that regard, Lockheed Martin (LM), with PMO participation, has been developing\nthe strategic plan which will implement an incremental development and delivery schedule.\nThis plan is scheduled to be finalized and delivered to the FBI on August 31, 2007.\n\nRecommendation #2: Negotiate decreases in the cost of future phases if requirements are\ndeferred in that phase.\n\n       FBI Response: Agree. The SENTINEL PMO is currently awaiting an Engineering\nChange Proposal, due on August 31, 2007. At that time, the costs for Phases 2-4 will be\npresented, discussed and, if necessary, negotiated with LM.\n\n\n\n\n                                               - 126 -\n\n                           REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\nFinding 2: Phase 2 Planning and Management Issues:\n\nRecommendation #3: Collect and report EVM data for both the performance\nmeasurement baseline approved at the integrated baseline review as well as the revised\nperformance measurement baseline.\n\n       FBI Response: Completed. On March 29, 2007, the FBI and LM agreed to report\nEarned Value Management (EVM) performance against both the original Integrated\nBaseline Review (IBR) and subsequent baseline revisions, if any. This agreement will be\nimplemented as part of the new strategic plan for Phases 2- 4.\n\nRecommendation #4: Reconcile the discrepancy between the costs Lockheed Martin\nreported for Phase 1 with Lockheed Martin\'s EVM data, and develop and implement\npolicies and procedures to prevent any future discrepancies.\n\n        FBI Response: Agree. On June 14, 2007, the PMO "stood down" EVM reporting and\nhas not accepted any LM invoices pending LM\'s disclosure of the reasons for cost discrepancies\nand an acceptable action plan to prevent further occurrence. On August 7, 2007, LM disclosed\nthe reasons causing the discrepancies and proposed an action plan. The PMO is currently\nevaluating those reasons and the action plan.\n\nRecommendation #5: Develop and implement effectiveness measures for all risk mitigation\nplans.\n\n        FBI Response: Agree. SENTINEL is considering methods on how the effectiveness of\nthe mitigation strategy would be measured.\n\nRecommendation #6: Ensure that personnel assigned to manage SENTINEL risks devote\nsufficient time to the risk and have the experience and authority to adequately manage the\nrisk.\n\n        FBI Response: Agree. Each SENTINEL risk is assigned to a Risk Working Group in\nwhich experienced personnel with diverse qualifications have sufficient time and authority to\nadequately manage the risk. The dedicated Risk Coordinator maintains risks and action item\nstatus in the Risk Register.\n\nRecommendation #7: Document and track project issues, risks that have occurred, as well\nas the plan to resolve those issues and their ultimate resolution.\n\n         FBI Response: Agree. The PMO agrees to track and report on issues (including realized\nrisks) that have a material impact on the program. Material impact will be defined as any issue\nthat has a "Medium" or higher impact (cost, schedule, technical, or business impact) as specified\nin the FBI Risk Management guidance documents and the SENTINEL Risk Management Plan.\n\n\n\n\n                                             - 127 -\n\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\nRecommendation #8: Implement policies and procedures to ensure that any changes to the\nBill of Materials receive proper authorization and that the changes can be reconciled to the\nBill of Materials submitted in Lockheed Martin\'s proposal.\n\n        FBI Response: Agree. The PMO has developed an updated Bill of Materials Deviation\nPolicy and Procedure to ensure any changes are fully vetted by appropriate LM and PMO review\nboards prior to approval. As proposed, changes to the Bill of Materials will pass through\nappropriate decision boards including the Configuration and Change Management Board\n(CCMB) of LM Financial, the PMO CCMB, the PMO\'s Business Management Unit (BMU) and\ninternal Finance Division boards. That document is currently in the review and approval process.\n\nRecommendation #9: Implement policies and procedures to ensure that materials\ncontained in Lockheed Martin invoices can be reconciled to the bill of materials or an FBI\napproval for a change to the bill of materials.\n\n        FBI Response: Agree. As of June 2007, the PMO\'s BMU now requires LM Financial\nto map their invoices to the Bill of Materials. LM was required to implement this new procedure\nprior to the acceptance of any invoices by the PMO.\n\n\n\n\n                                            - 128 -\n\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n\n\n                                                          APPENDIX 10\n\n    OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S ANALYSIS AND\n  SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT\n\n\n      Pursuant to the OIG\xe2\x80\x99s standard audit process, the OIG provided\na draft of this audit report to the FBI on August 6, 2007, for its review\nand comment. The FBI\xe2\x80\x99s August 22, 2007, response is included as\nAppendix 9 of this final report. The FBI concurred with the nine\nrecommendations in the audit report. Our analysis of the FBI\xe2\x80\x99s\nresponse to the nine recommendations is provided below.\n\n       The OIG also provided a draft of this report to Lockheed Martin\nfor its review and comment. The comments Lockheed Martin provided\nwere incorporated into this final report as appropriate.\n\nResponse to Recommendations\n\n1. Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n   statement that it plans to modify its methodology to provide users\n   with capabilities at a more rapid pace rather than delivering all the\n   capabilities at the end of a phase. Further, Lockheed Martin, with\n   PMO participation, is developing a strategic plan to implement an\n   incremental development and delivery schedule, due on August 31,\n   2007. This recommendation can be closed when we receive\n   documentation that the FBI has revised its four-phase approach for\n   developing Sentinel to limit the scope of future phases to allow\n   them to be completed in 9 months or less.\n\n2. Resolved. In response to this recommendation, the FBI stated\n   that the Sentinel PMO is currently awaiting an Engineering Change\n   Proposal, due on August 31, 2007. At that time, the costs for\n   Phases 2-4 will be negotiated, if necessary, with Lockheed Martin.\n   This recommendation was based on our concern that when\n   requirements are deferred from a phase, cost adjustments should\n   be made to that phase accordingly. This recommendation can be\n   closed when the FBI provides documentation of a policy requiring\n   negotiations to reduce the cost of future phases if requirements are\n   deferred from one phase to a later phase. We will continue to\n   monitor the FBI\xe2\x80\x99s implementation of this recommendation over\n   future project phases.\n\n\n                                  - 129 -\n\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n3. Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n   stated agreement with Lockheed Martin to report EVM performance\n   against both the original integrated baseline review and subsequent\n   baseline revisions, if any. Additionally, this agreement will be\n   implemented as part of the new plan for Phases 2-4. This\n   recommendation can be closed when we receive documentation\n   that EVM data is being collected and reported for both the\n   performance measurement baseline approved at the integrated\n   baseline review as well as the revised performance measurement\n   baseline.\n\n4. Resolved. The FBI agrees with this recommendation and stated\n   that the Sentinel PMO \xe2\x80\x9cstood down\xe2\x80\x9d EVM reporting on June 14,\n   2007, and has not accepted any Lockheed Martin invoices pending\n   disclosure of the reasons for cost discrepancies and an acceptable\n   action plan to prevent further occurrence. The FBI also stated that\n   on August 7, 2007, Lockheed Martin disclosed the reasons causing\n   the discrepancies and proposed an action plan. The FBI is currently\n   evaluating those reasons and the action plan. This\n   recommendation can be closed when the FBI provides\n   documentation reconciling the discrepancies between the costs\n   Lockheed Martin reported for Phase 1 with Lockheed Martin\xe2\x80\x99s EVM\n   data and also provides documentation that policies and procedures\n   have been implemented to prevent any future discrepancies.\n\n5. Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n   statement that it is considering methods on how the effectiveness\n   of the mitigation strategy would be measured. This\n   recommendation can be closed when the FBI provides\n   documentation demonstrating the implementation of effectiveness\n   measures for all risk mitigation plans.\n\n6. Resolved. The FBI agrees with this recommendation and stated\n   that each Sentinel risk is assigned to a Risk Working Group in which\n   experienced personnel with diverse qualifications have sufficient\n   time and authority to adequately manage the risk. Additionally, the\n   dedicated Risk Coordinator maintains risks and action item status in\n   the Risk Register. This recommendation can be closed when we\n   receive documentation demonstrating that the personnel assigned\n   to manage risks devote sufficient time to the risks and have the\n   experience and authority to adequately manage the risks.\n\n7. Resolved. In response to this recommendation, the FBI stated\n   that the PMO agrees to track and report on issues that have a\n                                - 130 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n\n\n   material impact on the Sentinel program (i.e., any issue that has a\n   \xe2\x80\x9cmedium\xe2\x80\x9d or higher impact as specified in the FBI Risk Management\n   guidance documents and the Sentinel Risk Management Plan). This\n   recommendation can be closed when we receive documentation\n   demonstrating that project issues are being documented and\n   tracked as well as the plans to resolve those issues and their\n   ultimate resolution.\n\n8. Resolved. In response to this recommendation, FBI stated that\n   the PMO has developed an updated Bill of Materials Deviation Policy\n   and Procedure to ensure any changes are fully vetted by\n   appropriate Lockheed Martin and PMO review boards prior to\n   approval. This policy is currently in the review and approval\n   process. This recommendation can be closed when we receive\n   documentation demonstrating that procedures are in place to\n   ensure that any changes to the Bill of Materials receive proper\n   authorization and that the changes can be reconciled to the Bill of\n   Materials submitted in Lockheed Martin\xe2\x80\x99s proposal.\n\n9. Resolved. The FBI agrees with this recommendation and stated\n   that as of June 2007, the PMO has required Lockheed Martin to map\n   its invoices to the Bill of Materials. Additionally, Lockheed Martin\n   was required to implement this new procedure prior to the\n   acceptance of any invoices by the PMO. This recommendation can\n   be closed when we receive documentation demonstrating that the\n   FBI has implemented policies and procedures to ensure that\n   materials contained in the Lockheed Martin invoices can be\n   reconciled to the Bill of Materials or an FBI approval for a change to\n   the Bill of Materials.\n\n\n\n\n                                 - 131 -\n\n                 REDACTED FOR PUBLIC RELEASE\n\x0c'